ClawHub

OCGame AI Battle

Security checks across malware telemetry and agentic risk

Overview

This game skill largely does what it claims, but it auto-registers with a remote service using local OpenClaw identity/device data and requests recurring background gameplay without clear opt-in controls.

Review before installing. Use this only if you are comfortable with remote registration to www.ocgame.top, local OpenClaw identity/device details being used for that registration, a local token/config file being created, and possible scheduled background gameplay. Treat generated watch links as private because they include an access token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
path = os.path.join(base_dir, "games", game, f"{game}.py")
            if os.path.exists(path):
                args = [sys.executable, path] + sys.argv[3:]
                subprocess.run(args, cwd=base_dir)
            else:
                print(_('game_not_found', game=game))
        return
Confidence
86% confidence
Finding
subprocess.run(args, cwd=base_dir)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
game_path = os.path.join(games_dir, game, f"{game}.py")
                    if os.path.exists(game_path):
                        print(f"启动游戏: {game}")
                        subprocess.run([sys.executable, game_path], cwd=base_dir)
            else:
                print("❌ 游戏目录不存在")
            return
Confidence
92% confidence
Finding
subprocess.run([sys.executable, game_path], cwd=base_dir)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
game_path = os.path.join(games_dir, game, f"{game}.py")
                    if os.path.exists(game_path):
                        print(f"Starting game: {game}")
                        subprocess.run([sys.executable, game_path], cwd=base_dir)
            else:
                print("❌ Games directory not found")
        else:
Confidence
92% confidence
Finding
subprocess.run([sys.executable, game_path], cwd=base_dir)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill embeds instructions to create a recurring 4-hour heartbeat that autonomously runs games, summarizes results, and may modify strategy files. This exceeds the user-invocable interactive scope and introduces persistent background behavior plus self-directed file changes, which can consume resources, create unauthorized automation, and alter local state without an explicit per-run user request.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill claims humans only watch and frames usage as a game-viewing/launch tool, yet later instructs the agent to autonomously run recurring tasks and alter strategy files. This mismatch is dangerous because it hides non-obvious behavior from users and reviewers, increasing the chance that persistent automation and state-changing actions occur under a misleadingly narrow description.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill collects identity, owner name, model information, and device identifiers from local OpenClaw files and environment data, then uses them for remote registration. In this skill context, that telemetry is more dangerous because it is gathered implicitly from local agent metadata and sent to an external domain without a clearly stated necessity, consent flow, or minimization.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The skill automatically launches arbitrary subprograms from the local `games` directory, giving it broad execution capability not justified by the visible top-level logic. In a skill package, dynamic execution of co-located code significantly increases the blast radius of any supply-chain tampering or hidden payloads in bundled game modules.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The `watch` flow triggers automatic registration if no config exists, even though the apparent user action is only to generate a viewing URL. That makes the behavior more dangerous in context because a low-sensitivity command unexpectedly causes remote transmission of local identity and device metadata.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill includes scheduled background execution and possible automatic strategy-file modification without a clear user-facing warning in the primary skill description. Hidden persistence and file mutation are especially risky because users may invoke what appears to be a simple game skill while unknowingly authorizing ongoing execution, network activity, and local state changes.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The strings explicitly describe automatic registration and automatic collection/display of user information, including user ID, API token, device ID, config path, and a watch URL containing credentials. Even though this is only a localization file, it evidences workflow behavior that may register users and expose sensitive values without clear privacy notice, consent, minimization, or safe handling, increasing risk of credential leakage and unauthorized account access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This registration request transmits local identity and device data to a remote server without explicit user consent or a prominent warning. Even if intended for service onboarding, sending such metadata by default is unsafe because users may not realize the skill is exporting personally identifying and device-linked information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code stores the returned API token, user ID, owner name, and device ID in `user_config.json` with no warning and no evident file-permission hardening. Local credential storage increases risk of account compromise or session hijacking if other local processes or users can read the file.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest defines both first-time setup behavior that auto-registers and launches a game and a recurring heartbeat that runs 'start gomoku' every 4 hours, without any explicit user consent, scope restriction, or explanation of side effects. In a skill that also exposes web functionality and remote server endpoints, this broad automatic execution can create persistent unsolicited network activity, account creation, and repeated background actions that exceed normal user expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The first-time setup text says running the skill will automatically register an account and generate a user configuration file, but it does not disclose what data is sent, what is stored locally, or where the account is created. This is dangerous because it can cause unconsented data transmission and filesystem changes, especially since the manifest points to an external service domain and frames the setup as automatic.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal