ClawHub

Unreal Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Unreal Editor automation skill, but it exposes broad project-changing editor control through unauthenticated local HTTP endpoints and a generic command bridge.

Install only if you are comfortable allowing an AI-controlled bridge to modify a live Unreal project. Use source control or backups, keep the gateway local and firewalled, verify the separate Unreal plugin, and require explicit approval for deletes, saves, imports, property changes, screenshots/logs, input simulation, and console commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill documents high-risk capabilities such as keyboard/mouse simulation and arbitrary console command execution, which can drive editor or system-adjacent actions far beyond normal content editing. In combination with autonomous agent behavior, these tools can trigger destructive editor changes, execute dangerous engine commands, or bypass safer structured APIs.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The guidance explicitly recommends leaving autonomous model invocation enabled by default even though the skill exposes destructive tools like actor deletion, asset import, console execution, screenshots, and input simulation. This increases the chance that an LLM can take impactful actions without an explicit user request, making prompt injection, misunderstanding, or overreach materially more dangerous.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The HTTP API allows any caller to register sessions, poll commands, submit tool results, send heartbeats, and enumerate active sessions without authentication or origin restrictions. Because the plugin bridges to powerful Unreal Editor actions such as console execution, asset import, and actor manipulation, an attacker on the same host or reachable network path could spoof a session, hijack command flow, or inject forged results and metadata.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README advertises very broad natural-language triggers such as 'Start play mode' and 'Take a screenshot' without indicating any confirmation, scoping, or safety boundaries. In an agent system, vague invocation guidance can cause unintended activation of editor-affecting actions from ordinary conversation, which is more concerning here because the skill can manipulate a live Unreal project and runtime state.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill exposes destructive editor capabilities such as opening, saving, creating, deleting, and modifying actors without any warning about side effects, data loss, or the need for user confirmation. In an agent-controlled environment, this increases the chance that an LLM or user invokes state-changing operations unintentionally, causing project corruption or loss of work.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill includes screenshot capture and project log reading features without any privacy or data-sensitivity warning. Screenshots and logs can expose proprietary assets, source paths, credentials, tokens, prompts, or other sensitive development data, making silent collection or exfiltration more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Simulated input and console command execution can materially alter editor state, trigger automation, change configuration, or invoke unsafe commands, yet the skill provides no warning or guardrails. In an LLM-agent context, these are high-risk primitives because they can be chained to perform unintended actions beyond normal tool boundaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill lists numerous state-changing operations—creating, deleting, modifying actors and components, importing assets, starting play mode, and executing console commands—without warning users that these actions can alter projects, overwrite state, or cause data loss. In an agent skill, omission of such warnings is security-relevant because users may not realize the breadth and irreversibility of available actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill describes continuous HTTP communication between the Unreal plugin and the gateway, including polling, heartbeats, results, status, logs, screenshots, and other editor-derived data, but does not warn about privacy or data-sharing implications. This can expose project structure, asset names, viewport contents, logs, and session metadata to another service without making the user aware of the sensitivity of that information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The endpoints disclose project names, engine versions, platform details, session IDs, and activity timing via /unreal/status, while also accepting session traffic with no visible trust boundary, consent prompt, or transport/authentication safeguards. In the context of an editor-control bridge, this increases the attack surface by enabling reconnaissance and silent network interaction with a highly privileged local workflow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal