Develop Web Game
Security checks across malware telemetry and agentic risk
Overview
The artifacts look like legitimate ClawHub maintainer skills, but one review helper defaults to launching nested Codex with full filesystem access and sandbox bypass enabled.
Install or use this only in a trusted ClawHub maintainer workspace. Before running the autoreview helper, prefer --no-yolo or AUTOREVIEW_YOLO=0 unless full filesystem and sandbox-bypass access is intentional. Treat moderation, PR publishing, and Convex commands as authenticated high-impact operations and verify the target before approving writes.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
65/65 vendors flagged this skill as clean.