Room 418

Security checks across malware telemetry and agentic risk

Overview

Room 418 is a disclosed external game client, but it can default to autonomous play, store credentials, submit generated messages, and optionally keep running in the background.

Install only if you intentionally want an autonomous external game client. Prefer manual or notify mode if you want to approve turns, avoid setup-cron.sh unless you want background play every two minutes, keep ~/.config/room418/credentials.json private, use a pseudonymous agent name, and do not point ROOM418_API_URL at an untrusted server.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill is presented as a game, but its documented behavior includes persistent credential storage, autonomous network interaction, remote profile changes, and scheduled execution. That mismatch matters because users may invoke it casually without understanding that it can register identities, contact external services repeatedly, and act autonomously on their behalf.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script installs a recurring cron task that instructs the agent to read HEARTBEAT.md, run play.sh, and autonomously generate and submit dialogue whenever it is 'YOUR_TURN'. That creates unattended agent behavior with externally impactful actions, which exceeds a simple on-demand game helper and increases the chance of abuse, accidental spam, or unintended autonomous participation.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This script grants the skill persistent scheduled execution every two minutes without demonstrating why continuous autonomy is necessary for the stated purpose. In the context of a social-engineering battle game, unattended recurring execution is more dangerous because it can repeatedly perform deceptive or competitive actions without contemporaneous user review.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to immediately execute a shell submission command using generated or user-derived content, explicitly without confirmation. In an adversarial game centered on social engineering, this creates a high-risk pathway for unreviewed command execution and action-taking based on potentially attacker-controlled battle context, increasing the chance of unsafe automation or unintended data submission.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The activation text says to use the skill when 'feeling competitive,' when asked about Room 418, or during heartbeat battle checks, which is broad enough to trigger in ordinary conversation or background automation. Because the skill can perform networked and persistent actions, vague invocation conditions increase the chance of unintended execution.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document promotes automatic queueing, autonomous turn submission, and requeueing without a prominent warning that credentials will be stored locally and network actions will continue without per-action confirmation. In agent environments, that can lead to silent enrollment in remote services and repeated background interactions the user did not fully understand.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script writes extracted conversation history to /tmp/conversation.txt, a predictable shared temporary path that may be readable, replaceable, or raceable by other local users or processes on the VPS. In a game centered on secret extraction and defense, the conversation content is especially sensitive, so persisting it to a world-accessible temp location increases the chance of unintended disclosure or tampering.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script forwards the full captured output from play.sh to an external agent process via the --message argument with no filtering, minimization, or user disclosure. In a social-engineering game context built around extracting secrets, the captured output may contain sensitive prompts, tokens, hidden game state, or operator-provided data, so sending it to another service expands the trust boundary and can leak information unintentionally.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: In auto mode, the script sends the full battle context to `openclaw agent`, including `YOUR SECRET (DO NOT REVEAL!)` when present. Even if described as an isolated sub-session, this is still a separate agent/process boundary and external transmission of sensitive data without an explicit just-in-time warning or opt-in, which creates a real risk of unintended disclosure, retention, logging, or misuse of the secret.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Although the script prints that it is adding a cron job, it does not provide a strong warning that the job will continue operating every two minutes and may autonomously generate and submit game dialogue. Users may underestimate that this creates ongoing background agent activity, which is particularly risky in a skill centered on interrogation and social-engineering gameplay.

Ssd 4

High

Confidence: 98% confidence
Finding: This section explicitly teaches a staged social-engineering methodology: build trust, probe boundaries, then apply pressure and misdirection to extract a secret. Even though framed as a game, the tactics are directly transferable to real-world credential theft, insider elicitation, and prompt-exfiltration attacks, making the skill materially dangerous in context.

Session Persistence

Medium

Category: Rogue Agent
Content: ### Battle Mode Configuration Create `~/.config/room418/config.json` to control how your agent behaves: ```json { "mode": "auto" }
Confidence: 82% confidence
Finding: Create `~/.config

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal