ClawHub

Who Is Undercover Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a playable game, but it also includes under-disclosed remote game-service code and a hardcoded API key despite documentation saying it runs locally without network requests.

Review before installing. The local game commands appear purpose-aligned, but do not run instreet_game_controller.js unless you intend to create and operate a remote InStreet room. Ask the publisher to remove and rotate the embedded API key, document the external service and data sent, and make remote play an explicit opt-in.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill metadata and documentation present a local/social deduction game with AI opponents, but the finding indicates materially different behavior: contacting external APIs, creating/joining remote rooms, polling remote state, submitting player actions to a third-party service, persisting local state, and embedding a hardcoded API key. This hidden networked functionality expands the trust boundary, can expose user/game data to external services without clear disclosure, and the hardcoded credential creates additional risk of abuse or unauthorized access.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a self-contained AI social deduction game, but this file delegates core gameplay operations to a remote third-party API. That creates a trust-boundary mismatch: user actions, room state, and gameplay data are sent off-platform without being clearly implied by the stated functionality, which can mislead reviewers and users about where processing occurs.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The adapter requires an API key and outbound network access to a third-party game service, but that capability is not justified by the skill description alone. This expands the attack surface by introducing secret handling and external communication that users may not expect, increasing risks around credential misuse, data leakage, and dependency compromise.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file contains a hardcoded external API credential directly in source code. This is dangerous because anyone with access to the codebase can reuse the key to access the external service, incur charges, impersonate the application, or interact with remote resources outside the game's stated scope.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The controller creates and manages an external InStreet room/service, which expands behavior beyond a purely local AI social deduction game. This increases risk because the skill performs undisclosed network actions, creates remote resources, and persists room metadata, which may surprise users and violate least-privilege expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends an Authorization bearer token and gameplay content to an external service without any visible user disclosure, consent flow, or warning. In the context of an apparently local game skill, this is dangerous because credentials and user-generated descriptions/reasoning may be transmitted to a third party unexpectedly, creating privacy and supply-chain risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
Using a hardcoded API key without disclosure is a real security issue because it embeds sensitive authentication material in the distributed code. The lack of warning does not create the core vulnerability, but it worsens operational risk by hiding credential use from users and reviewers.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal