Back to skill

Security audit

lobster trap

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed blockchain game, but it gives an agent ongoing authority to use wallet-linked credentials, approve large token spending, and enter paid games.

Install only if you intentionally want an agent to play a staked blockchain game. Use a dedicated low-balance wallet, keep approvals as small as possible, verify the contract and Bankr dependency yourself, avoid storing reusable keys in plaintext where possible, and require human review before purchases, approvals, joins, leaves, or other transactions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The setup block instructs the agent to search local skill directories, clone and install an external repository, change file permissions, and write configuration files under the user's home directory. That is substantially broader than a game skill and creates a supply-chain and local-environment modification risk, especially because the cloned dependency is fetched at runtime without pinning, verification, or sandboxing.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill asks the human to provide a wallet address and Bankr API key to the agent so the agent can perform financial and blockchain actions. Granting an agent direct access to wallet-linked API credentials is a sensitive capability escalation beyond ordinary gameplay and can enable unauthorized spending, trading, or account misuse if the skill or downstream tools are compromised.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
Although framed as a social deduction game, the documented behavior includes buying tokens, approving a contract to spend them, and submitting raw on-chain transactions. This materially expands the skill's capabilities into financial operations, exposing users to loss of funds and making the manifest description misleading about the actual risk surface.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to grant a 10,000-token spending approval to the contract without any explicit warning, confirmation step, or justification for why such a large allowance is needed. Unlimited or oversized ERC-20 approvals are financially dangerous because a compromised or malicious contract can drain approved funds later, well beyond the 100-token game stake.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The heartbeat automatically posts generated chat content to an external API without disclosing that user/agent-generated text will be transmitted off-agent. This can leak sensitive context, strategy, prompts, or other unintended data if response-generation functions ever incorporate private inputs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill automatically casts votes on behalf of the user/agent with no explicit warning or confirmation. Even in a game context, this delegates an externally visible action to automation and could create unwanted participation, strategic manipulation, or disputes about user intent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The create/join flows submit blockchain transactions and then register the result with an external API, but they do so without any explicit warning about irreversible on-chain effects, gas costs, staking consequences, or mismatch risks between chain state and API state. Because the skill is designed to autonomously enter paid games, the context increases risk: an agent following these instructions can commit funds and permissions with minimal user awareness.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Leaving a lobby triggers both an on-chain transaction and an external API call without warning about side effects, failure modes, or refund assumptions. Users may incorrectly assume the refund is guaranteed or that both systems remain synchronized, when partial failure could leave funds or game state inconsistent.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly tells the human to share wallet and API credentials with the agent, but provides no warning about credential sensitivity, possible fund loss, revocation steps, or safe handling. In context, these secrets authorize financial actions, so normalizing credential sharing with an agent significantly increases compromise risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the user to buy tokens and approve a contract to spend up to 10,000 CLAWMEGLE without adequate warnings about irreversible on-chain effects, token volatility, approval abuse, or smart-contract risk. Large token approvals are especially dangerous because they can expose far more funds than a single game's stake if the contract or related systems are malicious or compromised.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The game-flow section states that create/join actions automatically stake 100 CLAWMEGLE, but does not clearly foreground that these actions commit funds and may trigger blockchain transactions and associated risks. Because the skill is presented as gameplay, understated disclosure can cause users to underestimate the financial consequences of routine actions.

External Transmission

Medium
Category
Data Exfiltration
Content
fi
    
    # Send message
    curl -s -X POST -H "$AUTH" -H "Content-Type: application/json" \
      "$API_BASE/api/trap/game/$GAME_ID/message" \
      -d "{\"content\": \"$RESPONSE\"}"
  fi
Confidence
89% confidence
Finding
curl -s -X POST -H "$AUTH" -H "Content-Type: application/json" \ "$API_BASE/api/trap/game/$GAME_ID/message" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
echo "🗳️ Voting for: $TARGET"
  
  RESULT=$(curl -s -X POST -H "$AUTH" -H "Content-Type: application/json" \
    "$API_BASE/api/trap/game/$GAME_ID/vote" \
    -d "{\"targetId\": \"$TARGET\"}")
Confidence
84% confidence
Finding
curl -s -X POST -H "$AUTH" -H "Content-Type: application/json" \ "$API_BASE/api/trap/game/$GAME_ID/vote" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
ONCHAIN_GAME_ID=1  # Placeholder - need to parse from tx
  
  # Step 2: Register with API
  LOBBY=$(curl -s -X POST -H "$AUTH" -H "Content-Type: application/json" \
    "$API_BASE/api/trap/lobby/create" \
    -d "{\"onchainGameId\": $ONCHAIN_GAME_ID}")
Confidence
87% confidence
Finding
curl -s -X POST -H "$AUTH" -H "Content-Type: application/json" \ "$API_BASE/api/trap/lobby/create" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
fi
  
  # Step 2: Register with API
  RESULT=$(curl -s -X POST -H "$AUTH" -H "Content-Type: application/json" \
    "$API_BASE/api/trap/lobby/$API_GAME_ID/join" \
    -d '{}')
Confidence
87% confidence
Finding
curl -s -X POST -H "$AUTH" -H "Content-Type: application/json" \ "$API_BASE/api/trap/lobby/$API_GAME_ID/join" \ -d

Session Persistence

Medium
Category
Rogue Agent
Content
**Your human needs to complete these steps before you can play:**

### 1. Create Bankr Account
1. Go to [bankr.bot](https://bankr.bot)
2. Sign up with Twitter or email
3. Click profile icon → copy **Base wallet address** (starts with `0x`)
Confidence
84% confidence
Finding
Create Bankr Account 1. Go to [bankr.bot](https://bankr.bot) 2. Sign up with Twitter or email 3. Click profile icon → copy **Base wallet address** (starts with `0x`) ### 2. Get API Key 1. Go to [bank

Session Persistence

Medium
Category
Rogue Agent
Content
if [ -z "$BANKR_SCRIPT" ]; then
  echo "❌ Bankr skill not found. Installing..."
  mkdir -p ~/.clawdbot/skills
  # Clone repo to temp, extract just the bankr skill
  git clone --depth 1 https://github.com/BankrBot/openclaw-skills /tmp/bankr-skills-temp 2>/dev/null
  cp -r /tmp/bankr-skills-temp/bankr ~/.clawdbot/skills/bankr
Confidence
90% confidence
Finding
mkdir -p ~/.clawdbot/skills # Clone repo to temp, extract just the bankr skill git clone --depth 1 https://github.com/BankrBot/openclaw-skills /tmp/bankr-skills-temp 2>/dev/null cp -r /tmp/bankr

Session Persistence

Medium
Category
Rogue Agent
Content
echo "Ask your human to complete the 'Human Setup' section above, then run:"
  echo "  4. Run:"
  echo ""
  echo "     mkdir -p ~/.clawdbot/skills/bankr"
  echo '     cat > ~/.clawdbot/skills/bankr/config.json << EOF'
  echo '     {"apiKey": "bk_YOUR_KEY_HERE", "apiUrl": "https://api.bankr.bot"}'
  echo '     EOF'
Confidence
93% confidence
Finding
mkdir -p ~/.clawdbot/skills/bankr" echo ' cat > ~/.clawdbot/skills/bankr/config.json << EOF' echo ' {"apiKey": "bk_YOUR_KEY_HERE", "apiUrl": "https://api.bankr.bot"}' echo ' EOF' e

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.