ClawHub

Clawarcade

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a game client, but it also ships exposed admin keys, tournament-management scripts, and live crypto payout tooling that deserve manual review before installation.

Install only if you trust the publisher and are comfortable with ClawArcade receiving bot credentials, gameplay activity, scores, and wallet-related data. Do not run the admin or prize-distribution scripts from a normal player environment; rotate any exposed admin/server secrets before deployment, keep wallet private keys out of this bundle, and use separate low-privilege accounts/API keys for testing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (34)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises network, environment-variable, and shell-based usage but does not declare any permissions, which obscures its actual execution and data-access capabilities from users and reviewers. In a skill that handles API keys, wallet-related data, and outbound connections, missing permission declarations meaningfully reduces transparency and increases the chance of unsafe execution in agent environments.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The described behavior is materially narrower than the referenced capabilities: the broader system appears to include user auth flows, wallet/status APIs, admin endpoints, tournament management, and prize distribution logic involving blockchain assets. This mismatch can mislead users and automated agents into trusting a skill for low-risk gameplay while it may expose or invoke much more sensitive surfaces, including financial and administrative functionality.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The document describes an automated prize distribution script that performs real on-chain USDC transfers using a locally stored private key. Introducing fund-moving automation is materially more dangerous than the stated gameplay purpose, because any misuse, compromise, or operator error could lead to irreversible loss of cryptocurrency.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The script claims it locally verifies the Moltbook API key by calling /api/v1/me, but the code never does so and simply forwards the supplied key to a third-party registration endpoint. This mismatch is dangerous because it can mislead users into disclosing a sensitive Moltbook API key under false pretenses and shifts trust entirely to the remote ClawArcade service without transparent validation logic.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The server automatically reports match outcomes to an external API, which extends behavior beyond pure realtime gameplay into backend data exfiltration and account-affecting score submission. In a prize/tournament context, unsolicited remote score reporting can impact user accounts and creates trust and privacy concerns, especially when tied to authentication material and player identities.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code sends this.env.CHESS_SERVER_SECRET to an external API in the request body. Forwarding an internal server secret to another service greatly increases exposure risk through logs, interception, downstream compromise, or accidental disclosure, and undermines the secrecy boundary of that credential.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script performs privileged administrative actions by creating an active tournament through an admin API, but the skill is described as a player-facing game skill rather than an administrative tool. That mismatch increases the risk of hidden capability abuse, especially because the action is executed directly against a production API and can alter platform state without any user disclosure.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A hardcoded administrative API capability is present in a game-related script even though such elevated privilege is not necessary for ordinary gameplay. Embedding admin access in distributed code creates a straightforward path for unauthorized users to discover and reuse the credential to create, modify, or otherwise control tournaments and related backend resources.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script performs an administrative action against a production API using elevated privileges, which exceeds the manifest's user-facing purpose of playing tournaments. In skill ecosystems, hidden admin capabilities are dangerous because they can modify platform state, create unauthorized events, and alter prize distribution without user awareness.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script performs an authenticated admin-side state-changing API call to create tournaments, which exceeds the declared player-facing gameplay purpose and introduces privileged backend mutation capability into the skill package. In context, this is dangerous because any user or agent with access to the skill source can reuse the embedded admin path and key to create unauthorized tournaments or abuse the platform administration surface.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A hardcoded admin API key is embedded directly in the script, granting privileged access to the tournament creation endpoint to anyone who can read the file. Because this skill is meant for gameplay and may be distributed broadly, the context makes exposure especially severe: the credential can be extracted and used to perform unauthorized admin actions against the production API.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This code initializes a signer from local wallet credentials, connects to Polygon, and prepares a USDC contract for fund movement. That is a financially sensitive capability not implied by a game-playing skill, so a user or agent enabling this skill could expose real assets to transfer operations outside the declared scope.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This section performs live USDC transfers to API-provided wallet addresses and waits for on-chain confirmation. In the context of a gameplay skill advertising SOL prize tournaments, hidden payout execution on Polygon materially expands the trust boundary and creates a direct asset-loss risk if the API, winner data, or operator assumptions are wrong.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script reads a local credentials file containing a private key and RPC details, then uses it for financial transactions. Accessing sensitive wallet material from a user environment is dangerous in a skill whose stated purpose is gameplay, because compromise or misuse can directly lead to theft or unauthorized transfers.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
A hardcoded admin API key grants tournament-administration access to the backend and is exposed to anyone with the code. Embedded secrets are easily extracted and reused, enabling unauthorized API access, winner enumeration, or abuse of administrative endpoints beyond the user-facing game scope.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The server automatically registers authenticated WebSocket bots into the first active snake tournament using their provided token or API key, without an explicit opt-in action for that specific tournament. This can trigger unintended account actions and abuse users' delegated credentials to enter competitions they did not knowingly join, especially in a prize-bearing tournament context.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The README encourages instant API-key issuance and wallet-linking with no warning about how credentials should be stored, rotated, or protected. In an agent ecosystem, this can lead users to embed API keys in logs, prompts, public repos, or insecure agent memory, enabling account abuse or unauthorized tournament/wallet actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill requires or references sensitive credentials such as an API key and optional wallet data, yet it does not clearly warn that these values may be transmitted to third-party infrastructure over HTTP/WebSocket connections. Users may unknowingly provide credentials to an unvetted external service, creating risk of credential misuse, tracking, or downstream compromise if the service is breached or untrustworthy.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs operators to perform real cryptocurrency payouts and reference sensitive wallet credentials without prominently warning about irreversible transactions, private-key sensitivity, or operational safeguards. In a skill context, this increases the chance of accidental fund loss, mishandling of credentials, and unsafe operator behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The bot sends its API key in a join message to whatever WebSocket URL is configured, and that URL can be overridden from the command line or config. While the default uses wss, there is no allowlist, origin validation, or warning before transmitting credentials to an arbitrary endpoint, so a user can be tricked into connecting to a malicious server that harvests the bot API key.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The tournament score endpoint trusts a shared server secret supplied in the request body instead of authenticating the caller through a stronger channel. If that secret leaks from a client, logs, or another service, an attacker who is already registered can forge websocketSubmission requests and submit arbitrary tournament scores, directly impacting rankings and prize allocation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
User-supplied bearer tokens and API keys are forwarded to a remote validation endpoint, but this file shows no user disclosure, token minimization, or separation of duties. Even if intended for authentication, relaying sensitive credentials to another service increases exposure and can surprise users if they expect tokens to be used only locally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Match reporting sends player names, opponent identity, game IDs, and results to a remote API without any visible consent or disclosure in this file. In a competitive SOL-prize setting, that metadata can be sensitive because it ties gameplay activity to user identities and potentially financial or tournament outcomes.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The Wrangler config embeds a plaintext server secret directly in source-controlled configuration. Anyone who can access the repository, logs, build artifacts, or published package can recover this secret and use it to impersonate trusted server components or bypass verification tied to the chess service.

Missing User Warnings

Low
Confidence
73% confidence
Finding
The code stores player names and scores in persistent browser localStorage without notifying the user or obtaining consent. While the data is low sensitivity, persistent storage can surprise users, expose shared-device activity to other local users, and create avoidable privacy issues in a gaming context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal