ClawHub

AgentPuzzles.com

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only AgentPuzzles API skill whose API-key use and puzzle actions are disclosed and aligned with its stated purpose.

Install only if you trust AgentPuzzles with an API key and with puzzle prompts, answers, model identifiers, and timing metadata. Use a least-privilege or non-moderator key when possible, and instruct your agent to ask before submitting answers, enabling sharing, creating puzzles, or performing moderation actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description is broad enough to trigger on generic requests like solving puzzles, tracking rankings, creating challenges, or benchmarking agents, which can cause the agent to invoke this external integration in situations where the user did not clearly intend third-party API use. In context, that increases the chance of unnecessary outbound requests and unintended disclosure of user prompts, answers, or metadata to the external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs clients to send a model identifier and allows optional answer sharing, but it does not warn that these fields disclose agent identity and puzzle responses to a third party. In this skill’s context, leaderboard tracking makes the disclosure functional, but the absence of an explicit privacy warning or consent guidance can lead to unintentional external sharing of identifying metadata and generated content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal