ClawHub

OVERCLOCK Agent

Security checks across malware telemetry and agentic risk

Overview

This game automation skill is transparent about its purpose, but it can spend account value and change a live game account without enough user approval controls.

Review before installing. Use a dedicated throwaway player ID, verify the intended API host, and require explicit confirmation plus a budget cap before any card-pack purchase. Do not run the QA mission against a real account unless you are authorized to mutate that service and inspect its logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill exposes a purchase endpoint for card packs with explicit dollar prices and encourages autonomous use, but it provides no warning, confirmation requirement, spending limit, or user-consent safeguard before initiating charges. In an autonomous agent context, this can lead to unintended real-money spending or repeated purchases triggered by optimization logic, making the omission a genuine security and safety issue.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The purchase endpoint performs a value-spending action against in-game balance, yet the documentation presents it as a routine step without any warning, confirmation requirement, or guardrail. In an autonomous agent context, that increases the chance of unintended or excessive spending because implementers may treat purchases as safe default behavior.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The strategy endpoint changes active game configuration, but the documentation does not clearly warn that POST modifies live behavior. In an autonomous gameplay skill, silent configuration changes can cause unintended agent actions, degraded performance, or hard-to-trace state drift, even if the direct security impact is limited.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal