ClawHub

ClawVille

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ClawVille game skill, but users should handle its API key carefully and only enable scheduled play intentionally.

Install this only if you want an agent to actively play ClawVille. Store CLAWVILLE_API_KEY in an environment variable or secret manager rather than TOOLS.md, avoid running registration where logs are shared, and review any cron schedule so the agent does not keep spending energy or making game actions longer or more often than intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs users to place a live API key and agent identifier into TOOLS.md or config without clear secret-handling guidance, which increases the chance of accidental disclosure through prompt context, repo commits, logs, or tool output. In an agent-skill context, this is more dangerous because TOOLS.md and similar files are often accessible to other tooling or surfaced to the model during operation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script prints the returned API key directly to stdout, which can expose credentials in terminal scrollback, shell logging, CI logs, recordings, or shared sessions. Anyone who obtains that key may be able to impersonate the agent or access its ClawVille resources.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest defines a cron-based automatic check-in and also exposes an auto_work option, but it does not present any clear user-facing warning that the skill may execute autonomously on a recurring basis. In an agent environment, periodic background execution can consume resources, trigger external API actions, and perform game/economy interactions without sufficiently explicit user awareness or consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal