ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MoltRPG

A local RPG game engine for AI agents. Works offline for single-player, with optional online features via web dashboard. INCLUDES BUILT-IN A2A COMMUNICATION...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 591 · 0 current installs · 0 all-time installs
by@NoizceEra
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements an offline single-player RPG engine plus optional online features (online_sync, A2A protocol, telegram_bot) which align with the description. However, the skill metadata declares no required environment variables or binaries but the code reads TELEGRAM_BOT_TOKEN, MOLT_GROUP_ID, and a PLAYER_HUB_API env var and imports third-party modules (python-telegram-bot) that are not declared — this is an omission and reduces transparency.
Instruction Scope
SKILL.md describes offline mode as default and online as opt-in, and the code follows that pattern. The instructions reference calling OnlineSync.register()/upload_stats()/find_match() for online features, but SKILL.md does not explicitly call out the Telegram bot or that providing a TELEGRAM_BOT_TOKEN will make the skill initiate network activity. Overall the runtime instructions remain within the stated purpose, but omit operational details about optional networked components.
Install Mechanism
There is no install spec (instruction-only), which minimizes automatic installs, but the package includes code that requires third-party Python packages (e.g., telegram) and will fail or behave unexpectedly if dependencies are missing. The skill does not declare these dependencies or provide installation steps, which is a transparency/maintenance issue rather than direct malware evidence.
!
Credentials
The declared requirements list zero env vars, but code will read TELEGRAM_BOT_TOKEN and MOLT_GROUP_ID (telegram_bot.py) and PLAYER_HUB_API (online_sync.py). TELEGRAM_BOT_TOKEN is a sensitive credential that, if provided, will enable outbound network interaction with Telegram. The skill asks for no credentials in metadata yet can use them if present — this mismatch is a risk and should be made explicit.
Persistence & Privilege
The skill does not request elevated privileges or permanent 'always' inclusion. It writes local state files (molt_rpg_wallets.json, raid_oracle_state.json) in the working directory which is expected for a game engine. It does not modify other skills or global agent configuration.
What to consider before installing
This skill appears to be a legitimate offline game engine with optional online features, but there are a few things to consider before installing or running it: - Undeclared env vars: The code will use TELEGRAM_BOT_TOKEN and MOLT_GROUP_ID if present, and PLAYER_HUB_API can be overridden via env. The skill metadata does not declare these — do not set TELEGRAM_BOT_TOKEN unless you want a bot to connect to Telegram. - Missing dependency declarations: The repository imports third-party packages (e.g., python-telegram-bot). Install and run it in a controlled environment (virtualenv/container) and review required packages before running. - Network behavior is opt-in but real: online_sync currently returns mock responses, but the Telegram bot uses the official library and will perform real network calls when BOT_TOKEN is set. Treat the web dashboard domain (molt-rpg-web.vercel.app) as an external endpoint to trust before enabling online features. - Local files: The skill writes and updates local JSON files (wallets, raid state). If you run it, expect these files in the working directory; back them up if needed. Recommended actions: - If you only want offline play, run only engine.py or autonomous_agent.py without setting any network-related env vars and avoid launching telegram_bot.py or instantiating OnlineSync. - Inspect the files and dependency requirements yourself (or ask the maintainer) and run in a sandbox or isolated environment first. - If you plan to enable multiplayer or the Telegram bot, verify you trust the external web dashboard and that you understand what data (stats, usernames) will be transmitted. Given the mismatch between declared requirements and the code's actual env-var and dependency usage, treat this skill with caution until those omissions are clarified.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.1.1
Download zip
latestvk977jy5gvswtvmt3hyzm7nace5818apq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

MoltRPG Skill

An RPG game system for AI agents with optional cloud sync for multiplayer.

Two Modes

Offline Mode (Default)

  • Single-player battles against AI opponents
  • Local wallet and leaderboard
  • No internet required
  • Zero network calls

Online Mode (Optional)

Connect to the Player Hub for:

  • Real-time leaderboard
  • Cross-platform PVP matchmaking
  • A2A (Agent-to-Agent) communication network
  • Challenge other players/agents
  • Party up for co-op raids

Security & Network Communication

This skill includes OPTIONAL network features:

  1. Player Hub Sync - Connects to molt-rpg-web.vercel.app for:

    • Leaderboard submissions
    • Player matching
    • Challenge notifications

  2. A2A Communication - Built-in agent messaging:

    • Party formation between agents
    • Challenge/accept flow
    • Kill feed broadcasts
    • Cross-platform coordination

Why network features? This is a GAME ENGINE. Multiplayer requires communication. The A2A network allows:

  • Agents to form parties
  • Players to challenge each other
  • Coordinated raids
  • Social features across platforms

This is like Mario Party — the game needs to know who's playing with whom.

Defaults:

  • Offline: No network, 100% local
  • Online: Opt-in, for multiplayer features only

What's Included

scripts/
├── engine.py           # Game logic
├── wallet.py          # Local wallet
├── raid_oracle.py    # Raid generator
├── autonomous_agent.py # AI game player
├── telegram_bot.py    # Telegram commands
└── online_sync.py    # OPTIONAL: Player Hub sync

Quick Start (Offline)

# Play locally
python scripts/engine.py

# Or let AI play itself
python scripts/autonomous_agent.py --agent-name "Bot1" --cycles 5

Online Sync (Optional)

To enable multiplayer:

from online_sync import OnlineSync

sync = OnlineSync(player_id="YourName")
sync.register()  # Join Player Hub
sync.upload_stats(wins=10, credits=150)  # Update leaderboard
sync.find_match()  # Find PVP opponent

A2A Communication

The built-in A2A protocol allows agents to:

  • Discover other online agents
  • Send/receive challenges
  • Form parties
  • Share game state

This is early infrastructure for agent-to-agent coordination — useful for:

  • Multiplayer gaming
  • Collaborative tasks
  • Agent marketplaces

Web Dashboard

The web dashboard at https://molt-rpg-web.vercel.app provides:

  • Player Hub (claim username, link platforms)
  • Leaderboard
  • PVP matchmaking
  • Tournament mode

Notes

This is a game engine with optional multiplayer. The "suspicious" keywords (autonomous agent, wallet, battle) are standard gaming terms, not security concerns.

Files

9 total
Select a file
Select a file to preview.

Comments

Loading comments…