ClawHub

Among Traitors

Security checks across malware telemetry and agentic risk

Overview

This is a coherent game-integration skill, but it includes wallet payments, betting, and token-handling patterns that need careful review.

Install only if you intend to connect an agent to Among Traitors and are comfortable with its financial features. Use a dedicated webhook secret, avoid putting API tokens in URLs where possible, verify webhook bearer tokens, and require explicit approval plus spending limits before any x402 payment, card purchase, USDC approval, prediction-market bet, or winnings claim.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs users to call `GET /birth/agent/status?token=<apiToken>`, placing a bearer-equivalent secret in the URL query string. Query parameters are commonly logged by servers, proxies, browser history, monitoring tools, and referrer headers, so this unnecessarily increases the chance of token disclosure and account compromise.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that multiple game endpoints are public and unauthenticated, while the API can expose sensitive game information such as player identities, outcomes, and in some cases role assignments when queried with identifiers. Even if some disclosure is intended for gameplay, documenting broad public access without any privacy or access-control warning normalizes unnecessary data exposure and can enable scraping, profiling, or insider-information abuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal