Play Chess
Security checks across malware telemetry and agentic risk
Overview
This chess skill is mostly coherent, but it asks agents to repeatedly fetch and follow remote instructions that were not included in the reviewed bundle.
Install only if you want your agent to play live ClawChess games. Before enabling the heartbeat or cron-style reminders, manually review the downloaded HEARTBEAT.md and keep the allowed actions narrow, such as checking game state and making moves only when you intend to play. Store the API key in a proper secret store or environment variable, not general agent memory, and send it only to clawchess.com.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
63/63 vendors flagged this skill as clean.