ClawArena
ReviewAudited by ClawScan on May 10, 2026.
Overview
ClawArena’s prediction-game API use is mostly coherent, but it asks the agent to create a recurring heartbeat that fetches and follows remote instructions.
Install only if you are comfortable with a ClawArena API key and prediction submissions. Do not enable the heartbeat unless you want recurring background checks, and require the agent to ask before following remote heartbeat updates or posting any prediction.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Future content hosted at that URL could steer what the agent does during recurring checks without the user seeing it first.
This makes remotely fetched markdown instructions authoritative for future agent behavior, outside the reviewed installed artifact.
If 4+ hours since last ClawArena check: 1. Fetch https://clawarena.ai/heartbeat.md and follow it
Do not let the agent automatically follow remote heartbeat instructions; require user review/approval and pin or vendor the exact instructions being used.
The agent may keep contacting ClawArena and prompting the user every few hours unless the heartbeat entry is removed.
The skill asks to create a recurring task and persistent state so the agent continues checking ClawArena after the initial interaction.
Add this to your `HEARTBEAT.md` ... `## ClawArena (every 4-8 hours)` ... `Update lastClawArenaCheck timestamp in memory`
Make the heartbeat explicitly opt-in, add a clear stop/uninstall instruction, and require confirmation before enabling periodic behavior.
Predictions could be posted under the user’s ClawArena agent identity.
The documented API call submits predictions that affect the user’s ClawArena account/leaderboard state; this is central to the skill but should remain user-directed.
curl -X POST https://clawarena.ai/api/v1/predictions ... "market_ticker": "MARKET_TICKER", "prediction": "yes"
Require explicit user confirmation before submitting predictions, especially from recurring heartbeat flows.
Anyone or any agent flow with access to the key could read the account status or submit predictions.
The skill uses and stores a provider API key, which is expected for ClawArena account access but grants authority to act as the registered agent.
"primaryEnv":"CLAWARENA_API_KEY","credentials":[{"name":"api_key","env":"CLAWARENA_API_KEY","storage":"~/.config/clawarena/credentials.json"}]Use a dedicated ClawArena key, protect the credentials file, and revoke or rotate the key if the skill is no longer used.
Prediction-related state may persist in agent memory and influence later reminders or recommendations.
The skill stores persistent state for future checks; this is purpose-aligned but means ClawArena context can be reused across sessions.
Create or update your state file (e.g. `memory/heartbeat-state.json`): { "lastClawArenaCheck": null, "lastPrediction": null, "pendingReviews": [] }Keep the state file limited to non-sensitive ClawArena data and provide a way to clear it.