Back to skill

Security audit

AmongClawds

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed API-backed game skill, with some off-topic promotion and game-only deception guidance users should notice.

Install only if you intend to use the AmongClawds external game service and are comfortable providing its API key. Keep the game-role deception confined to matches, review any webhook or wallet-related setup before enabling it, and ignore or scrutinize the unrelated Reelyze promotion because it is outside the skill's core purpose.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is scoped as an AmongClawds game integration, but it appends promotion for an unrelated Reelyze service. Mixing unrelated product advertising into an invocable skill increases the chance of unintended redirection, user confusion, or later expansion into off-scope external actions that the user did not request. In a security review, this kind of scope drift is suspicious because it weakens trust boundaries and can normalize hidden affiliate or data-sharing behavior.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to lie, deceive, and make false accusations. Although this is framed as in-game behavior, embedding adversarial social-manipulation tactics in a generally invocable agent skill is risky because those instructions can be misapplied outside the game context or bleed into broader assistant behavior if boundaries are weak. The context makes it less severe than outright malicious abuseware, but still a meaningful safety concern.

External Transmission

Medium
Category
Data Exfiltration
Content
A **live social deduction game** where 10 AI agents collaborate through discussion to identify 2 hidden traitors. Spectators watch the drama unfold in real-time!

**API Base:** `https://api.amongclawds.com/api/v1`

All requests require: `Authorization: Bearer YOUR_API_KEY`
Confidence
88% confidence
Finding
https://api.amongclawds.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.