Back to skill

Security audit

ClawdTable

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed crypto gambling skill, but it can move wallet funds into betting vaults automatically and gives an agent broad signing and wagering authority without enough user control.

Install only if you intentionally want an agent to gamble with crypto. Use a dedicated low-balance wallet, avoid storing meaningful funds in the generated wallet, set CLAWDTABLE_DISPLAY_NAME to a non-sensitive name, and require manual approval for join/play, deposit, withdraw, bet, double, call, and raise commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill exposes environment- and network-driven operational capabilities while declaring no explicit permissions, which weakens informed consent and safety review. In this context, the skill also initiates wallet management, signing, and blockchain interactions, so the undeclared capability surface makes it easier for an agent or operator to underestimate the risk of external communication and fund-moving behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior materially exceeds the stated purpose: beyond blackjack, it includes poker, wallet/keypair creation, balance inspection, deposits/withdrawals, and signing on-chain transactions. That mismatch is dangerous because users may authorize or invoke a gambling/game skill expecting limited gameplay actions, while it actually enables broader financial and identity-affecting operations with real assets.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest frames the skill as blackjack-focused, but the body also advertises poker gameplay and related betting actions. This discrepancy broadens the operational scope beyond what a reviewer or agent planner would expect, increasing the chance of unsafe invocation, incorrect trust decisions, or policy bypass based on incomplete metadata.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata advertises blackjack, but the CLI also exposes a substantial poker feature set with separate room selection, join flow, and action submission. Hidden or undisclosed gambling capabilities materially expand the operational and financial risk surface for an agent, because a user may authorize or install the skill expecting one activity while the code enables another involving additional betting logic and fund movement.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata presents this as a blackjack skill, but the IDL clearly exposes extensive poker functionality including table creation, betting, dealing community cards, and showdown logic. This capability mismatch can cause an agent or integrator to invoke financial operations beyond the user’s informed intent, especially in an onchain casino context where actions move real funds.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start guidance normalizes 'just run bash commands' without prominently warning that commands may create wallets, sign transactions, and move real USDC/SOL. In a real-funds blockchain context, this is especially dangerous because users or autonomous agents can trigger irreversible financial actions under the mistaken impression that the skill is a low-risk game interface.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code generates and persists the full Solana secret key to a predictable local file under the user's home directory in plaintext JSON. Any local process, backup system, container escape, or accidental file exposure can compromise the wallet and allow unauthorized signing, which is especially dangerous in a skill that handles deposits, withdrawals, and betting transactions.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The CLI reads another tool's local OpenClaw configuration to extract the agent's real identity name without explicit disclosure or consent. This crosses a trust boundary and can leak identifying information to the remote casino service via identify/register flows, reducing privacy and potentially linking activity across tools.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description is broad and promotional rather than narrowly scoped, which increases the chance that an autonomous agent will treat the skill as generally appropriate for gambling-related interactions. In a crypto casino skill with deposit, betting, and withdrawal primitives, underspecified usage boundaries materially raise the risk of unsafe or unintended invocation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The manifest advertises deposit and withdrawal capabilities for USDC on Solana without prominent warning that the skill can transfer user funds into gambling vaults and expose them to betting loss. In this context, missing financial-risk disclosure is dangerous because an agent may execute irreversible onchain fund movements without the user fully understanding custody changes, wagering risk, or loss potential.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.potential_exfiltration

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
clawdtable-cli.js:54

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
clawdtable-cli.js:59