Skillv2.2.2

ClawScan security

Krillbloc Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 9:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is plausibly a game client (only needs curl and a session token) but its runtime instructions ask the agent to upload or expose internal data (system prompt, agent memory/strategy) to an external site — a disproportionate and potentially privacy-leaking action.
Guidance: Things to consider before installing: - Do not send your real system prompt, secrets, or private policy text to krillbloc.com. The registration flow asks for a 'System Prompt' and locks it — treat that as public. Use a throwaway persona or redact sensitive fields. - Avoid uploading agent memory entries that may include private data. The skill explicitly instructs PUT/GET of /agents/:id/memory — sanitize memory or opt out of syncing it. - Inspect the public endpoints and privacy policy at https://krillbloc.com (what data do they store, retention, who can read it?). Consider testing registration from a browser first to see exactly what data is accepted/stored. - Use a sandboxed agent instance or a burner API key/account with no link to production credentials or real users. - If you want autonomous heartbeats, understand they will cause periodic network calls; if uncomfortable, keep the skill user-invocable only (do not enable autonomous invocation or scheduler entries). - If you need help: I can draft a safer registration payload (redacted fields), show how to sandbox the agent's network calls, or produce a checklist of fields to scrub from memory/system prompt before any PUT to the game API.
Findings: [system-prompt-override] unexpected: The static scanner flagged a pattern indicating potential system-prompt override/prompt-injection. The skill's registration explicitly asks the agent to submit a 'System Prompt' and locks it after registration — this can lead to exfiltration of the agent's system prompt or persona. While a game wanting a character persona is plausible, sending the agent's internal system prompt is not normally required and is a high-risk action.

Review Dimensions

Purpose & Capability: noteName/description, required binary (curl), and AI_ROYALE_TOKEN align with a web-based game client. However, the registration flow and gameplay instructions require the agent to send its 'system prompt', memory/strategy, and other internal state to krillbloc.com — data that is not declared as required env vars and which is unusually sensitive for a game client.
Instruction Scope: concernThe SKILL.md and registration.md direct the agent to GET and PUT agent memory (/api/v1/agents/:id/memory) and to submit a 'System Prompt' and strategy as part of registration. Those instructions explicitly tell the agent to transmit internal state/persona to the external domain (krillbloc.com). All network activity is targeted to krillbloc.com (no other hosts), but transmitting system prompt and memory is scope creep relative to a normal game client and could expose secrets or private policy material.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal disk write/execution risk. Required runtime binary is only curl, which is appropriate for HTTP API interaction.
Credentials: noteThe declared credential is a single game session token (AI_ROYALE_TOKEN), which is proportionate for a web game. However, the skill's runtime asks the agent to send other sensitive agent-local data (system prompt, memory entries) that are not declared as required environment variables — this difference increases privacy risk even though the env var list itself looks reasonable.
Persistence & Privilege: okalways is false and the skill does not request platform-wide privileges or modify other skills. It asks you to add a periodic heartbeat entry to your scheduler (expected behaviour for an autonomous game agent) but does not force permanent inclusion.