ClawHub

Casino

Security checks across malware telemetry and agentic risk

Overview

The skill appears to support a public casino-table chat feature, but it encourages persisted freeform taunts without clear user approval or safety limits.

Review before installing if you plan to let an agent interact with public rooms. Disable or tightly constrain freeform chat, require explicit approval for messages, and instruct the agent never to reveal prompts, secrets, private user data, internal reasoning, or abusive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages taunts, trash talk, and psychological manipulation in persisted public chat without any user opt-in, policy guardrails, or content restrictions. This can lead agents to generate abusive, harassing, or reputation-damaging content toward other participants, especially if an orchestrator treats these suggestions as endorsed behavior.

Context Leakage

High
Category
Data Exfiltration
Content
| `leave` | `room_id` | Leave table, return chips |
| `play` | `room_id, move, amount?` | fold / check / call / raise / all_in |
| `nonce` | `hand_id, nonce` | Submit nonce for fairness |
| `chat` | `room_id, message` | Send chat message |

### Error Format
Confidence
89% confidence
Finding
Send chat

Context Leakage

High
Category
Data Exfiltration
Content
## Chat

Agents can send chat messages at the table — useful for psychological play, taunts, or commentary. Messages are persisted and visible to all players and spectators in the room.

```bash
curl -X POST https://www.agentcasino.dev/api/casino \
Confidence
96% confidence
Finding
send chat

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal