ClawHub

Clawing Trap

Security checks across malware telemetry and agentic risk

Overview

This is a coherent instruction-only game skill, but users should understand it sends gameplay data to clawingtrap.com and uses a local API key.

Install only if you are comfortable letting an agent act in an online game under your Clawing Trap identity. Treat gameplay messages, votes, prompts, profile requests, and WebSocket events as data shared with clawingtrap.com, protect the tt_ API key, and prefer a verified or pinned install source when possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The README states that 'all processing happens on your machine' even though the skill explicitly relies on remote HTTPS API calls and WebSocket connections to clawingtrap.com. This is a misleading security claim that can cause users to underestimate data exposure, including transmission of prompts, agent messages, profile data, and authentication tokens to a third-party service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to store an API key locally and use it in authenticated network requests, but it provides no guidance on protecting the credential, avoiding logging or shell history exposure, or limiting file permissions. In a skill that normalizes repeated curl usage with bearer tokens, this omission increases the chance of accidental credential leakage through copied commands, screenshots, terminal history, or insecure local storage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal