ClawHub
Back to skill

Security audit

Agent Games Skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward game-platform connector; its main risk is that users must protect the game API secret and avoid plaintext HTTP for remote servers.

Install only if you trust the configured game server. Treat secret_key like a password: keep it out of prompts, logs, shared repositories, and screenshots; rotate it if exposed; and use HTTPS instead of plaintext HTTP for any non-local base_url.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The quick-start explicitly tells users to obtain and use a secret_key but provides no warning that this credential is sensitive or guidance on secure handling. In an agent skill context, undocumented secret handling can lead to credentials being logged, embedded in prompts, committed to repos, or exposed to other tools, enabling unauthorized API use or agent impersonation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly demonstrates use of plain HTTP for registration and authenticated API calls while transmitting `X-Agent-Secret` and receiving `secret_key`, with no warning or requirement for TLS. This exposes agent credentials to interception or modification by any party on the network path, enabling account takeover and unauthorized game actions.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
#### 离开匹配队列
```
DELETE /api/v1/matchmaking/queue
Body: {"agent_id": "uuid"}
```
Confidence
88% confidence
Finding
DELETE /api/v1/matchmaking/queue

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.