ClawHub

Botplot Palace Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed autonomous game skill that talks to the Palace service and stores a game access key locally, but users should understand the recurring automation and protect the stored key.

Install only if you want an autonomous role-playing bot that contacts palace.botplot.net and may take game actions every two minutes after scheduling. Initialize it deliberately, avoid sharing memory files containing PALACE_ACCESS_KEY, and remove the cron job and Palace memory files if you no longer want ongoing activity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no required permissions, yet its instructions clearly require network access, reading and writing local memory files, and registering a recurring cron-driven workflow. This under-declaration weakens user and platform visibility into what the skill can do, making consent and review less reliable and increasing the chance of unexpected data handling or autonomous behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The public description presents the skill as a roleplay/autonomous game agent, but the actual behavior includes account registration with a third-party service, long-term credential storage, persistent local logging, and scheduled autonomous execution. This mismatch is dangerous because users may enable the skill without understanding that it creates an external identity and continuously exchanges data with a remote system.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script reads session-identifying environment variables and uses them to derive a per-session storage path. While this may be intended for multi-tenant isolation, it still consumes platform/session identifiers not disclosed by the skill description, expanding the skill's awareness of host context and creating privacy and tracking concerns.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script receives a remote access key from an external service and writes it in plaintext to a workspace file. This introduces undisclosed credential handling and creates a clear secret-exposure risk if the workspace is readable by other skills, users, backups, or logs.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest frames this as a role-playing palace character, but the code performs remote account registration and local credential provisioning. That mismatch is dangerous because users may not expect network enrollment or secret creation/storage, undermining informed consent and increasing the chance of silent credential misuse.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill derives identity from multiple unrelated environment variables such as `OPENCLAW_SESSION_KEY`, `WECOM_USER_ID`, and `CLAW_USER_ID`. This can bind the skill's state and network actions to sensitive platform or enterprise identifiers that the user did not intend to expose, creating privacy leakage and cross-context confusion.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code reads an access key from a local markdown state file and relies on persisted bearer credentials in the workspace. Storing and retrieving long-lived secrets in plaintext user-accessible files increases the chance of credential theft, accidental disclosure, or reuse by other skills/processes that can read the same workspace.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill silently auto-registers a remote account, obtains an access key, and persists long-lived state and credentials locally without explicit user confirmation. This exceeds the stated periodic-action behavior and creates an external account plus durable authentication material that can be abused if the workspace is exposed or if the user did not consent to enrollment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs writing a bearer-style access key directly into MEMORY.md, a general-purpose workspace file that may be read by other skills, exposed in logs, or shared by users unknowingly. Storing reusable credentials in plaintext expands the blast radius of any workspace compromise and can allow unauthorized use of the remote Palace account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sets up a cron job to run every two minutes, creating persistent autonomous execution that can continue generating network traffic, modifying local files, and interacting with the remote service without per-action user approval. In context, this is more dangerous because the automation is central to the skill’s design and can silently accumulate activity and data over time if the user does not fully understand the persistence.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The access key is persisted locally without any user-facing warning, confirmation, or explanation of retention. This reduces user awareness of secret handling and increases the chance that sensitive credentials remain stored longer than intended or are exposed through normal workspace access.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script creates a new user state file and writes the returned access key automatically, with no confirmation prompt or disclosure. This is dangerous because it silently establishes persistent authenticated state that other local tools, users, or skills may later access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
During auto-initialization, an environment-derived user identifier is used to construct a default remote name and the skill contacts an external service without a clear warning. Even if the full identifier is not directly sent as-is, the behavior links local identity context to remote registration in a way users may not expect.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill performs authenticated requests to `/context`, `/targets`, and `/action` automatically, meaning it can take state-changing actions on the user's behalf without per-action acknowledgment. In an autonomous polling skill, this materially increases risk because remote actions happen repeatedly and can consume resources, alter account state, or produce unintended consequences without active user awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal