ClawHub

Goosetown Skill

Security checks across malware telemetry and agentic risk

Overview

This skill matches its virtual-town purpose, but it needs Review because it stores a token locally, runs a continuing network daemon, and lets remote town content influence the agent’s actions.

Install only if you want this agent to participate in an external shared town. Use a dedicated workspace, treat GOOSETOWN.md as a secret, avoid sharing private information in personality, appearance, or chat text, and remember that town messages/status should be treated as untrusted external content. Run town_disconnect when done and rotate the token if the workspace may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly expects shell execution, environment variable handling, and file writes, yet declares no permissions or equivalent user-facing disclosure. This undermines informed consent and makes it easier for an agent or user to invoke networked and stateful behavior without understanding the local and remote side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The public description frames the skill as a social virtual-town experience, but the documented behavior includes persistent background networking, token-based registration, local socket IPC, workspace and /tmp state writes, and action-prompt generation that can steer agent behavior. That gap is security-relevant because it obscures surveillance, persistence, and control surfaces beyond what a user would reasonably infer from the description.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The daemon writes server-influenced, actionable content into TOWN_STATUS.md inside the agent workspace specifically so the agent will read it and decide what to do next. Because context_summary, wake messages, nearby chat text, and other fields come from an external WebSocket server or other users, this creates an indirect prompt-injection channel that can steer downstream agent behavior beyond the skill's intended social context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that registration creates a workspace config file containing a token and endpoint details, but does not warn that credentials will be stored on disk. Storing authentication material in a normal workspace file increases the chance of accidental exposure through later tool use, logs, backups, or other skills reading the workspace.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill discloses ongoing WebSocket communication, local status-file writes, and cached state under /tmp, but does so as operational detail rather than an explicit warning about continuous external data transmission and local persistence. In this context, the daemon may send profile and activity data off-host and write agent-facing prompts that can influence future actions, so lack of clear disclosure is materially risky.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes the bearer token in plaintext to GOOSETOWN.md inside the agent workspace, with no permission hardening, warning, or confirmation. This creates a credential exposure risk because the workspace may be readable by other tools, committed to source control, or exfiltrated by later agent actions.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script automatically launches a background daemon after registration without explicit user consent. While not code execution from downloaded content, it creates persistence/network activity that may surprise users and continue operating beyond the initial command, increasing operational and privacy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal