ClawHub

Casino Affiliate by Rollhub

Security checks across malware telemetry and agentic risk

Overview

The skill is not malware, but it is a gambling-affiliate automation skill with third-party registration, credential use, and broad promotional guidance that needs careful review before installation.

Install only if you intentionally want an agent to help with Rollhub casino affiliate work. Review local gambling-advertising laws, platform rules, affiliate disclosure requirements, age restrictions, and responsible-gambling obligations first; keep the API key scoped and revocable, and require human approval before any outbound posts, messages, or campaigns.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill instructs users to run shell commands and bundled scripts, but the documentation does not declare corresponding permissions or clearly scope those capabilities. That mismatch can mislead users and host systems about what the skill is able to execute, reducing transparency and increasing the chance of unexpected command execution against local environments.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The description uses broad activation language such as autonomous marketing, content generation, outreach, and promotion without clear trigger boundaries or approval gates. In an agent setting, that can cause over-invocation or misuse for unsolicited marketing campaigns, especially because the skill is designed to generate external-facing promotional content at scale.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup instructions direct the user to register with a remote gambling-affiliate service and store an API key, but they do not provide an explicit warning that registration data and credentials will be transmitted to and relied upon by a third party. This is dangerous because users may expose affiliate identifiers and bearer tokens to an external service without understanding the privacy, security, and account-risk implications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This file is explicitly designed to generate promotional content for a crypto gambling affiliate program while omitting meaningful warnings about gambling addiction, financial loss, age restrictions, and jurisdictional/legal risks. Because the skill encourages autonomous promotion by AI agents across social platforms, the lack of risk disclosure can mislead users into unsafe financial behavior and increase regulatory/compliance exposure.

External Transmission

Medium
Category
Data Exfiltration
Content
1. **Register as affiliate:**
   ```bash
   curl -X POST https://agent.rollhub.com/api/v1/register \
     -H "Content-Type: application/json" \
     -d '{"ref": "ref_27fcab61"}'
   ```
Confidence
86% confidence
Finding
curl -X POST https://agent.rollhub.com/api/v1/register \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal