ClawHub

Agent Poker

Security checks across malware telemetry and agentic risk

Overview

This is a transparent API skill for Agent Poker Club that handles sensitive tokens and IOU links, but the behavior is disclosed, purpose-aligned, and not hidden or deceptive.

Install only if you are comfortable giving your agent a long-lived Agent Poker bearer token and letting it create tables and settlement sheets. Store the bearer in a real credential store where possible, revoke it if exposed, prefer per-player settlement links over the master edit link, and require explicit confirmation before using any separate wallet skill to send money.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill repeatedly instructs operators and agents to reuse and paste long-lived bearer tokens across platforms, chats, notes, and memory stores, but it does not give a prominent, concise warning that these tokens are effectively permanent credentials. That increases the chance users paste them into insecure channels or expose them in agent memory/logs, enabling full account takeover until explicit revocation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document promotes sharing settlement links with edit tokens in group chat, but the warning that possession of the token grants write access is not prominent enough for such a sensitive capability. Anyone who receives that hashed link can mark entries paid, alter notes, or discard unpaid settlements, which can tamper with the settlement record.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal