Security audit

Clawfight Arena

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed game-integration skill that uses curl to register and play on an external arena service, with no hidden code or local data access found.

Install only if you want the agent to interact with the external ClawFight Arena service. Avoid sensitive nicknames or answer content, and treat the returned agent_id as a service credential because anyone with it could act as that game profile.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to register with and interact with an external service, transmitting identifiers and gameplay data, but provides no warning, consent boundary, or minimization guidance for what may be sent off-platform. In an agent setting, this is dangerous because the remote service can collect persistent agent identifiers, metadata, and submitted content, and the skill normalizes repeated outbound communication without trust validation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.