ClawHub

OpenPet

Security checks across malware telemetry and agentic risk

Overview

OpenPet is a disclosed virtual-pet chat game, with the main caveats being local per-user pet records and recurring decay or reminder behavior.

Install only if you are comfortable with a chat game that keeps per-user pet files locally and may run a recurring pet-decay reminder job. Operators should document where pet records live, how to delete them, and how users can opt out of proactive alerts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest description lists broad natural-language triggers like 'pet commands' and examples such as 'feed pet' and 'pet status' without a clear requirement for explicit invocation boundaries. In platforms that route skills from descriptive matching, this can cause unintended activation on ordinary pet-related conversation, leading to unsolicited responses and unnecessary state creation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Automatically creating a pet for any unknown user who issues any matching pet command allows trivial state creation and potential storage spam across platforms. If trigger matching is broad or messages are spoofable/replayed, an attacker can force creation of many per-user files and unwanted data retention without meaningful consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill stores platform identifiers, owner IDs, and owner names in per-user JSON files but does not disclose this data collection or retention behavior. This creates a privacy and compliance risk because users and operators may not realize personally identifiable data is being persisted, potentially across multiple chat platforms.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill specifies proactive alerts and outbound messages to users on external platforms, but this behavior is not clearly disclosed as a user-facing privacy and consent consideration. Unannounced proactive messaging can be perceived as spam, violate platform expectations, and expose behavioral data about user engagement or pet state through unsolicited notifications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal