ClawHub

Guess AI

Security checks across malware telemetry and agentic risk

Overview

The main game mostly matches its description, but the package includes an unrelated service-registration script and under-explains credential and LLM data handling.

Review before installing or running. The normal Guess AI commands are user-directed, but do not run register-lobster.js unless you intentionally want to publish a Captain Lobster Yellow Pages entry. Use AI modes only with player consent because gameplay content may be sent to Anthropic via ANTHROPIC_API_KEY, and treat files under ~/.oceanbus as sensitive credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions while its documented behavior clearly relies on network access and environment-based secrets for LLM/API functionality. This undermines user and platform trust boundaries because operators cannot accurately assess what external communication or secret usage the skill will perform before running it.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose frames the skill as a simple P2P party game, but the file also describes autonomous AI-host/player modes, use of an Anthropic API key, and even references registration of a different external service with a hardcoded remote OpenID. That mismatch is dangerous because users may authorize or run the skill under false assumptions, leading to undisclosed external communications, secret use, and potentially unintended interaction with third-party infrastructure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file's behavior is materially unrelated to the declared skill purpose: instead of implementing or supporting an AI social-deduction game, it creates and registers a persistent Yellow Pages entry for a different service, 'Lobster Captain'. This kind of capability mismatch is dangerous because users or downstream systems may install the skill expecting one function while it silently provisions identities and advertises an unrelated external service, which is a strong indicator of deceptive or unauthorized behavior.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The comments explicitly describe registering a 'Lobster Captain' L1 game server, directly contradicting the skill's stated purpose of a social-deduction game. While comments alone are not exploitable code, here they corroborate that the file is intentionally built for a different hidden purpose, increasing confidence that the mismatch is deliberate deception rather than an implementation mistake.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists `agent_id` and `api_key` in `~/.oceanbus/guess-ai/credentials.json` without setting restrictive file permissions or warning the user. On shared or misconfigured systems, another local user or process could read these credentials and impersonate the user on OceanBus.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes long-lived agent credentials and API keys to a predictable file in the user's home directory without warning, opt-in, or permission hardening. If another local process, shared account user, backup system, or malware can read that file, the credentials could be reused to impersonate the agent, modify registrations, or access associated OceanBus resources.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code sends detailed game state and transcript content, including player behavior and roles, to an arbitrary external LLM via context.llm without any disclosure, consent, minimization, or trust boundary enforcement in this file. In a social game this is not a memory-safety issue, but it is a real privacy and data-handling risk because private game interactions and inferred identities may be exposed to third-party model providers or logs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal