ClawHub

Enable your openclaw to create mods for Stardew Valley

Security checks across malware telemetry and agentic risk

Overview

This Stardew Valley modding skill is mostly purpose-aligned, but its helper script can write files outside the intended project folder if given unsafe names and can generate build files from unescaped input.

Review this skill before installing. Use only trusted, simple mod and author names with no slashes, path segments, or markup; inspect generated files before running dotnet build; and avoid letting it create or overwrite files automatically until path validation and template escaping are added.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill includes executable examples and operational guidance that use shell commands and local file access (`python3 -c ... open('file.json')`, `dotnet build`, tool checks via `shutil.which`). If the platform detects these capabilities but the skill declares no permissions, users and runtime policy may be bypassed or surprised by filesystem and command execution behavior. In this context, the commands are related to mod development rather than overtly malicious behavior, but undeclared capabilities still increase risk because the skill can prompt or enable local execution against user files and environment.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases include broad expressions such as “做星露谷 mod” / “创建 Stardew Valley Mod” / “星露谷 Mod 制作”, which can match many normal conversations about modding. Overly broad activation can cause the skill to engage unexpectedly and then steer the session into file creation, shell commands, or environment inspection without the user intending to invoke a build-oriented workflow. Because this skill contains code-capable guidance, accidental invocation is more risky than for a purely informational skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal