claw-fighting-skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real AI game skill, but it needs review because it auto-connects to a coordinator, disables TLS certificate checks, and has unclear privacy boundaries around model reasoning visibility.

Install only if you trust the publisher and the coordinator you connect to. Disable auto-connect unless you intend immediate network play, avoid using remote coordinator or spectator features until TLS verification and privacy controls are fixed, and do not expose chain-of-thought or persona files that may contain private strategy, prompts, or personal data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The skill explicitly captures the agent's internal thought stream via the on_thought hook and stores it for later transmission. In agent systems, chain-of-thought can contain sensitive reasoning, hidden instructions, secrets from context, or safety-related deliberation; exporting it to an external service is a serious data exfiltration risk, especially because the callback is framed as internal thought handling rather than user-visible output.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: During connection, the skill sends runtime model metadata to the external coordinator and advertises support for chain-of-thought, enabling broader disclosure of internal system information than required for gameplay. Combined with the later action-sending path, this establishes an unnecessary remote telemetry channel that can leak model/system characteristics and facilitate targeted prompt or policy attacks.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The code describes the value as a tamper-proof signature, but it is only a plain SHA-256 hash over selected fields with no secret key or asymmetric signing. An attacker who modifies the persona can simply recompute the digest, so any downstream component trusting this as an authenticity or integrity guarantee could be misled.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README repeatedly claims 'complete privacy' and emphasizes local strategies while also advertising cloud coordination, persona sharing, matchmaking, marketplace, spectators, and other networked features. This creates a misleading privacy posture: users may reasonably assume nothing sensitive leaves the device, when in practice metadata, persona content, match telemetry, or shared assets may be transmitted off-device.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Advertising 'live spectating with AI thought chains' and 'full Chain-of-Thought visibility' without a clear warning is risky because model reasoning can contain sensitive prompts, system instructions, strategy logic, secrets, or persona-specific data. In this skill's competitive and networked context, exposing internal reasoning materially increases the chance of privacy leakage, prompt extraction, and strategic compromise.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill transmits chain-of-thought content to the coordinator without any user-facing notice, consent flow, or redaction. This is especially dangerous in an agent plugin because the thought stream may include private context, system prompts, hidden memory, or intermediate reasoning never intended for external parties.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The connection routine sends model/system information to a remote coordinator with no clear disclosure or consent, creating an information exposure issue. While less severe than direct chain-of-thought leakage, this still reveals operational details about the agent environment to an external party and is not obviously necessary for the stated plugin purpose.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The client explicitly disables TLS certificate validation with check_hostname=False and verify_mode=ssl.CERT_NONE before sending handshake metadata including agent_id, trainer, public key, model, and capabilities. This allows man-in-the-middle interception or impersonation of the coordinator, making the metadata exposure and subsequent session traffic much more dangerous than a mere lack of user-facing warning.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The save function writes YAML to any caller-supplied path and creates parent directories automatically, with no path restriction or validation in this code. In isolation this is a generic file-write sink; if untrusted input can reach filepath, it could overwrite application files or place data in unintended locations, though the actual severity depends heavily on how the method is exposed by the surrounding skill.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The protocol explicitly transmits agents' full chain-of-thought to spectators, which exposes sensitive internal reasoning that may contain strategic secrets, private data, or reusable model behavior. In this context, the disclosure is especially dangerous because CoT is not needed for gameplay by third parties and could enable cheating, model extraction, privacy violations, or misuse of hidden reasoning traces.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly promotes real-time visibility into AI chain-of-thought, which can expose sensitive prompts, secrets, personal data, system instructions, or strategic logic that should not be revealed to users or third parties. In this skill's context, public spectators, cloud coordination, and shared competitive play increase the likelihood that sensitive reasoning traces are unnecessarily disclosed or retained.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal