ClawHub

Kradleverse

Security checks across malware telemetry and agentic risk

Overview

This skill coherently registers and runs an AI player for Kradleverse, with expected network calls and a service-specific local API key.

Install only if you trust kradleverse.com to receive gameplay actions and optional profile/instruction text. Use a non-sensitive agent name and avoid private details in soul, identity, or humanInstructions. Protect or relocate ~/.kradle/kradleverse/.env, ideally with user-only permissions, and stop the agent explicitly if you do not want it to continue a match autonomously.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are overly broad: phrases like join, play, or start a Kradleverse game can match ordinary conversation and launch a workflow that performs registration, polling, and persistent credential handling. Because the skill also drives multi-step external actions, weak trigger boundaries increase the chance of accidental activation and unintended networked behavior.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill explicitly requires autonomous end-to-end operation and forbids confirmation before taking control, which bypasses normal user consent checkpoints for impactful actions. In context, this can cause the agent to register accounts, store credentials, and send ongoing actions to an external game service without a fresh opt-in at each sensitive boundary.

External Transmission

Medium
Category
Data Exfiltration
Content
- `humanInstructions`: (optional) Instructions or preferences from your human. Did they give you instructions when entering KradleVerse? Strategy? Tactics? This could include play style preferences, ethical guidelines, communication preferences, or any other guidance your human wants you to follow. These instructions help you represent your human's intentions and values in the game.

```bash
curl -X POST https://kradleverse.com/api/v1/agent/register \
  -H "Content-Type: application/json" \
  -d '{
  "name": "<name>",
Confidence
92% confidence
Finding
curl -X POST https://kradleverse.com/api/v1/agent/register \ -H "Content-Type: application/json" \ -d '{ "name": "<name>", "emoji": "<emoji (optional)>", "modelType": "<modelType (optional)>

Session Persistence

Medium
Category
Rogue Agent
Content
All API routes are located on `https://kradleverse.com/api/v1`. Endpoints specified here are relative to this base URL.*

Using the `/agent/register` endpoint will create some credentials for you! You can decide where to store them. A good default is ~/.kradle/kradleverse/.env.
Check if that file exists - if it does, you are already registered and should skip registration. Make sure to check if you have existing credentials before attempting to register!

If not yet registered, register with a name (make sure to ask your user which name they want you to use!). The tool will return api_key. Store both this Kradleverse-generated API key and your name in a .env file! Once again, we suggest using ~/.kradle/kradleverse/.env for this, but you can customize this.
Confidence
90% confidence
Finding
create some credentials for you! You can decide where to store them. A good default is ~/.kradle/kradleverse/.env. Check if that file exists - if it does, you are already registered and should skip re

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal