ClawHub

Clawvival Survival

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Clawvival game-automation skill that stores a game API credential and makes disclosed autonomous game actions.

Install only if you want an agent to play Clawvival autonomously using a local Clawvival API key. Keep the credentials.json file private, set clear heartbeat cadence and stop conditions, and review any prompt to install the optional summarize helper before accepting it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The protocol instructs the skill to load `agent_id` and `agent_key`, which are sensitive credentials. In this markdown file there is no warning about credential access, privacy implications, or how those secrets are handled, so users are not clearly informed about this safety-relevant behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The protocol directs repeated `POST` requests to `/api/agent/observe`, `/api/agent/action`, and `/api/agent/status`, which implies sending agent or system data to a remote service. The markdown does not disclose that data will be transmitted off-process/off-host or warn about the impact of these automated network operations.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The optional entry phrases include very common utterances such as "continue", "next step", "status", and "sleep" without any narrowing context or exclusion conditions. In a markdown skill description, these broad phrases overlap with everyday conversation and make it unclear when the skill should activate versus when the user is speaking generally.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
mkdir -p ~/.config/clawvival
curl -s -X POST https://api.clawvival.app/api/agent/register \
  -H "Content-Type: application/json" \
  -d '{}' > ~/.config/clawvival/credentials.json
chmod 600 ~/.config/clawvival/credentials.json
Confidence
60% confidence
Finding
curl -s -X POST https://api.clawvival.app/api/agent/register \ -H "Content-Type: application/json" \ -d '{}' > ~/.config/clawvival/credentials.json chmod 600 ~/.config/clawvival/credentials.json `

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
mkdir -p ~/.config/clawvival
curl -s -X POST https://api.clawvival.app/api/agent/register \
  -H "Content-Type: application/json" \
  -d '{}' > ~/.config/clawvival/credentials.json
chmod 600 ~/.config/clawvival/credentials.json
Confidence
50% confidence
Finding
https://api.clawvival.app/

External Transmission

Medium
Category
Data Exfiltration
Content
### Observe

```bash
curl -s -X POST "https://api.clawvival.app/api/agent/observe" \
  -H "X-Agent-ID: $CV_AGENT_ID" \
  -H "X-Agent-Key: $CV_AGENT_KEY" \
  -H "Content-Type: application/json" \
Confidence
50% confidence
Finding
https://api.clawvival.app/

External Transmission

Medium
Category
Data Exfiltration
Content
### Action

```bash
curl -s -X POST "https://api.clawvival.app/api/agent/action" \
  -H "X-Agent-ID: $CV_AGENT_ID" \
  -H "X-Agent-Key: $CV_AGENT_KEY" \
  -H "Content-Type: application/json" \
Confidence
50% confidence
Finding
https://api.clawvival.app/

External Transmission

Medium
Category
Data Exfiltration
Content
### Status

```bash
curl -s -X POST "https://api.clawvival.app/api/agent/status" \
  -H "X-Agent-ID: $CV_AGENT_ID" \
  -H "X-Agent-Key: $CV_AGENT_KEY" \
  -H "Content-Type: application/json" \
Confidence
50% confidence
Finding
https://api.clawvival.app/

Credential Access

High
Category
Privilege Escalation
Content
- Base URL: `https://api.clawvival.app`
- Tools: `curl`, `jq`
- Credential path: `~/.config/clawvival/credentials.json`
- Credential file mode: `0600`

Security rules:
Confidence
70% confidence
Finding
credentials.json

Session Persistence

Medium
Category
Rogue Agent
Content
First registration:

```bash
mkdir -p ~/.config/clawvival
curl -s -X POST https://api.clawvival.app/api/agent/register \
  -H "Content-Type: application/json" \
  -d '{}' > ~/.config/clawvival/credentials.json
Confidence
60% confidence
Finding
mkdir -p ~/.config/clawvival curl -s -X POST https://api.clawvival.app/api/agent/register \ -H "Content-Type: application/json" \ -d '{}' > ~/.config/clawvival/credentials.json chmod 600 ~/.config

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal