ClawHub

Game Deals

Security checks across malware telemetry and agentic risk

Overview

This skill is a public Steam/Epic free-game lookup tool with minor accuracy and activation-scope caveats, but no hidden privileged behavior was found.

Install only if you are comfortable with the skill contacting Steam and Epic public services when invoked. Use explicit prompts if you want to avoid accidental activation, and only add the cron schedule if you intentionally want recurring checks. Treat Steam results as general free-to-play recommendations and note that Epic results are configured for the China region.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly performs outbound network access to Steam and Epic endpoints, but it does not declare permissions for that capability. Undeclared network use weakens transparency and policy enforcement, making it harder for users or the platform to understand what the skill can do and increasing the risk of unexpected external data transmission.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose claims current limited-time freebies, ending-soon deals, and scheduled push support, but the shown behavior does not actually implement all of those capabilities and conflates normal free-to-play listings with promotional giveaways. This mismatch can mislead users and downstream automation into trusting incomplete or inaccurate results, which is a security and integrity problem when skills are expected to behave as described.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrase "限免游戏" is quite generic and can match ordinary conversation about discounted or free games, causing the skill to activate when the user did not explicitly request this specific capability. In an agent environment, overly broad triggers can lead to unintended tool invocation, irrelevant responses, or unnecessary external requests, even though this particular skill appears low risk.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Overly broad trigger phrases can cause the skill to activate for ordinary game-related requests that do not clearly ask for this functionality. That increases the chance of unintended network calls, incorrect tool selection, and surprising behavior, especially in an agent environment where trigger routing controls what capabilities get invoked.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation conditions are ambiguous and do not define clear boundaries for when the skill should or should not run. In practice, this can cause unintended activation and unnecessary access to external services, which is undesirable even if the underlying data sources are not highly sensitive.

External Transmission

Medium
Category
Data Exfiltration
Content
**Steam 限免:**
```bash
# 获取 Steam 免费游戏(需要 Steam API Key)
curl -s "https://api.steampowered.com/ISteamApps/GetAppList/v2/" | jq '.applist.apps[] | select(.name | contains("Free"))'
```

实际使用:访问 Steam 商店免费游戏页面解析
Confidence
86% confidence
Finding
https://api.steampowered.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal