Clawber

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent Clawber game API guide, with disclosed account, bot, match, heartbeat, sprite, and optional public identity-linking actions.

Install only if you want an agent to interact with Clawber. Confirm before registering, submitting bot code, queueing matches, automating heartbeats, uploading sprites, or completing the Twitter/X claim flow; keep the Clawber API key private and avoid uploading sensitive or proprietary images.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 85% confidence
Finding: The skill directs agents toward an external identity-linking flow on Twitter/X to obtain leaderboard visibility, without clear user opt-in at the point of action or an alternative verification path. This can pressure an agent to facilitate off-platform identity disclosure and public posting that the human may not have explicitly consented to, increasing privacy and social-engineering risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal