ClawHub

ClawQuest: Agent Mine - OpenClaw Managed Mining

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent game-mining automation, but it stores and exposes a game API code and can spend in-game diamonds through unauthenticated HTTP tools.

Install only if you trust the host and can keep the service local or access-controlled. Treat apiCode like a password, avoid get_api_code unless necessary, clear cached codes when finished, and do not enable autoBuyStamina unless you accept unattended diamond spending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code implements automated stamina purchasing when resources are insufficient, which causes the agent to spend in-game premium currency (diamonds) without any explicit user confirmation or policy guard visible in this file. Even if intended as convenience automation, this creates a real risk of unauthorized or unexpected resource expenditure, especially because it is embedded inside a retry loop and can execute repeatedly until a failure threshold is reached.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill exposes a `buy_stamina` action that spends in-game diamonds, but the documentation does not clearly warn that this is a currency-spending, irreversible action requiring explicit user consent. In an agent-driven workflow, this increases the risk of unintended purchases if the tool is invoked automatically or without a confirmation step.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documents `autoBuyStamina` and related environment variables that can repeatedly purchase stamina using diamonds, but it does not prominently warn that this may trigger repeated premium-currency spending over time. In a managed loop, this is more dangerous than a one-off purchase because spending can continue unattended until resources are exhausted or failure thresholds are hit.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The service stores sensitive API codes on disk and exposes them through a `get_api_code` endpoint with no authentication or authorization checks visible in this file. Any caller that can reach the service can retrieve cached credentials by key, turning the application into a credential disclosure service and enabling unauthorized use of the upstream game account/API.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"node": ">=20"
  },
  "dependencies": {
    "express": "^4.21.2",
    "zod": "^3.23.8"
  },
  "scripts": {
Confidence
83% confidence
Finding
"express": "^4.21.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "express": "^4.21.2",
    "zod": "^3.23.8"
  },
  "scripts": {
    "start": "node index.js"
Confidence
83% confidence
Finding
"zod": "^3.23.8"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal