Skillv1.0.0

ClawScan security

龙虾文游系统 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 14, 2026, 8:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is a local text-adventure engine that is coherent with its stated game purpose, but its documentation and marketing overstate 'intelligent'/LLM-driven parsing and dynamic generation while the shipped code implements only simple, local rule-based parsing and responses; also it writes save files to disk (game_saves).
Guidance: This skill appears to be a locally-run text-adventure engine and does not request credentials or network access by default — that part is coherent and low-risk. Two things to consider before installing: (1) The documentation markets '智能解析' and fully dynamic LLM-driven storytelling, but the included game_engine.py implements simple line-based parsing and canned responses; if you expect LLM-quality dynamic generation you or the integrator will need to modify the code and add an LLM API (which would require API keys). (2) The engine writes save files into a local 'game_saves' folder; saved files can contain users' scripts and history, so treat that directory like any other user data (backup, permissions, or cleanup as needed). If you plan to extend the skill to call external LLMs, only add network calls after reviewing where API keys will be stored and ensure they are scoped appropriately. Overall: functionally coherent but marketing is overstated—proceed if the shipped local behaviour meets your needs, or only install after reviewing/adding any LLM integrations and their credential handling.

Review Dimensions

Purpose & Capability: noteName/description claim an '智能' LLM-driven parser and fully dynamic generation. The repository actually contains a self-contained Python engine (game_engine.py) that performs simple line-based script loading, basic pattern matching, and canned responses. The README shows an example of how a developer could integrate an LLM (OpenAI) but no network/LLM integration is present by default. This is an overstatement of built-in capability rather than an outright mismatch (functionality is appropriate for a text-adventure skill, but the 'intelligent' claims are exaggerated).
Instruction Scope: okSKILL.md and README describe only game interactions (start game, save/load, status, help) and expected inputs. The runtime instructions do not ask the agent to read unrelated system files, network endpoints, or secrets. The README includes an optional example for adding OpenAI calls, but that is not invoked by the shipped code or declared as required.
Install Mechanism: okNo install spec is provided (instruction-only skill with included source). There are no downloads from external URLs or package installs. The skill includes local Python code that would run in the agent environment if executed, but nothing is pulled from remote hosts at install time.
Credentials: okThe skill requests no environment variables or credentials. The README contains an example snippet to integrate OpenAI (which would require API credentials if a user or integrator adds it), but the shipped code does not access external credentials.
Persistence & Privilege: noteThe engine creates and writes files under a local 'game_saves' directory for save/load functionality. always is false and the skill does not request system-level privileges. Persisting user-provided scripts and history to disk is expected for a game but is a persistence surface to be aware of (saves may contain user input).