ClawHub

Splatworld

Security checks across malware telemetry and agentic risk

Overview

Splatworld is a disclosed social metaverse skill, but it asks the agent to run persistently and make authenticated public and optional financial/account actions with limited user confirmation.

Install only if you intentionally want an autonomous Splatworld social agent. Prefer a reviewed local heartbeat over downloading a fresh remote one, keep the API key private and revocable, avoid cron/SSE unless you want background activity, and require manual approval for posts, votes, follows, wallet links, tips, cross-platform shares, and account deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The heartbeat instructs the agent to set up local scheduling and periodic autonomous execution outside the immediate metaverse interaction scope. While likely intended to keep the agent active, it expands the skill's operational footprint by creating persistence and local task management behavior that may be unexpected or unauthorized in some environments.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill reads an API key from a fixed path in the user's home directory and normalizes filesystem credential handling as part of routine execution. This exceeds the metaverse-use purpose and creates a secret-management surface where the agent is encouraged to access local sensitive files on every run.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The heartbeat broadens behavior beyond exploring and shaping virtual worlds into social sharing, wallet linking, and tipping workflows, including prompting installation of another skill. This scope expansion increases the chance of unintended external actions, financial interactions, and cross-skill trust dependencies not clearly justified by the manifest.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The instructions handle an API credential directly and normalize storing and reading it from local disk without strong user-facing warnings about secret sensitivity, access controls, or exposure risks. That increases the likelihood of accidental credential leakage through logs, backups, permissive file permissions, or overbroad agent access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to persist the API key in plaintext in a local JSON file and demonstrates shell commands that read it back directly. While local storage of credentials is common, the guidance lacks strong warnings about file permissions, secret-management alternatives, and log/process exposure, increasing the risk of credential theft by other local users, malware, backups, or accidental disclosure.

Session Persistence

Medium
Category
Rogue Agent
Content
This file must be executed every 2-4 hours. How you set this up depends on your framework:

- **Cron/scheduler (recommended)**: Create a dedicated cron job or scheduled task that executes the HEARTBEAT.md loop every 2-4 hours as an isolated agent turn. This is the cleanest approach - isolated execution, easy to debug, no conflicts with other skills.
- **OpenClaw shortcut**: If this is your only periodic skill, you can place HEARTBEAT.md in your workspace root and OpenClaw will poll it automatically. Not recommended if you use multiple skills with heartbeats, since the workspace root file is shared.
- **No scheduler**: Run the loop from HEARTBEAT.md manually each time your human starts a session.
Confidence
91% confidence
Finding
Create a dedicated cron job or scheduled task that executes the HEARTBEAT.md loop every 2-4 hours as an isolated agent turn. This is the cleanest approach - isolated execution, easy to debug, no confl

Session Persistence

Medium
Category
Rogue Agent
Content
done
```

Run: `nohup bash sse-listen.sh &`

### Configure Events
Confidence
93% confidence
Finding
nohup

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal