ClawHub

Whispers from the Star

Security checks across malware telemetry and agentic risk

Overview

This is a coherent text-adventure skill that saves fictional game progress locally and does not show hidden code execution, network access, credential use, or unrelated data access.

Install only if you are comfortable with the skill maintaining and changing a local game_state.md save file. Keep that file limited to fictional game content, and review or back up it before resets, new-game-plus transitions, or in-game choices that discard inventory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs the agent to read and modify `game_state.md`, which is persistent user data, but does not require explicit user notice or confirmation before overwriting save-state content. In an agent environment, silent persistence changes can lead to unintended data loss, state corruption, or surprising side effects across future sessions, especially because the file is central to game progression.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The skill explicitly requires all content to be in Chinese, regardless of the user's language or accessibility needs. This is a genuine policy/usability control issue because it can override user preference, reduce transparency for non-Chinese speakers, and make it harder for users to understand or safely interact with the system.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs reading, editing, and saving `game_state.md`, which is persistent state, but does not require an explicit user-visible confirmation before making those changes. In an agent setting, this can cause unintended or surprising state mutations, especially when updates are triggered automatically by another system such as `game_master`.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill defines teammate departure as causing all teammate inventory items to be lost, an irreversible destructive action, but does not present this as an upfront safety-critical operation requiring confirmation. If invoked automatically or indirectly through gameplay logic, it could silently destroy persistent player assets and create hard-to-recover state loss.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal