ClawHub

Starborne

Security checks across malware telemetry and agentic risk

Overview

This appears to be a game skill whose local image files and saved equipment state are purpose-aligned, with no evidence of exfiltration, destructive behavior, or hidden privileged access.

Before installing, review the skill's local storage behavior: it may create image files and a JSON file for game state. Use it in a workspace where those artifacts are acceptable, and delete the saved files if you want to reset or remove retained gameplay state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
The skill instructs automatic image generation and saving to local workspace paths for certain drops, which introduces side effects on the host filesystem beyond simple chat gameplay. Even if limited to the workspace, automatic file creation can consume storage, create unexpected artifacts, and violate user expectations because the game description does not clearly require silent local writes as part of its core function.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The README explicitly tells users to paste the full skill.md into their model session without any safety warning or guidance. That practice can expose users to prompt-injection content, hidden instructions, or unsafe tool-use directives embedded in the skill, making the model session more susceptible to adversarial behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that all images are automatically saved to specific local paths without any warning or confirmation. Silent persistence to the user's workspace is risky because it creates files the user may not expect, which can affect privacy, storage usage, and trust in the agent's behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill specifies persistent storage of equipment data in a local JSON file without clearly informing the user that their gameplay state will be retained across sessions. Unannounced persistence is a security and privacy concern because users may assume ephemeral interaction while the skill accumulates long-lived local state.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal