ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claw Rpg

v3.0.0

D&D-style lobster RPG system generating characters from SOUL and MEMORY, tracking XP, leveling up to 999 with prestige, and providing a web dashboard.

1· 427·0 current·0 all-time
by@ramboxie·duplicate of @ramboxie/ramboxie-claw-rpg
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes generating characters, tracking XP, and running a web dashboard, which matches the included scripts and dashboard. However the registry metadata states no required binaries or env vars, while SKILL.md and the shipped files clearly require Node/npm (commands like `node scripts/*.mjs`, `npm install`, `npm start`) and optionally use environment variables (OPENCLAW_WORKSPACE, PORT). That mismatch (declaring 'none' but shipping Node-based code) is an incoherence: a user installing this should expect to need Node and npm.
!
Instruction Scope
The instructions advise integrating scripts into agent runtime (run scripts/easter.mjs after every reply), setting up a cron job, and running a local web server exposed to the LAN. Those runtime actions go beyond a passive helper: they write/modify save files, increment conversation counters, award XP automatically, and may send notifications. Recommending an after-each-reply hook gives the skill broad opportunity to modify bot replies and update persistent state — appropriate for the feature but high-impact and deserves careful review before enabling.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the package includes many runnable scripts and a Node-based dashboard that requires `npm install` / `npm start`. This is low-to-moderate risk because code is bundled with the skill (no remote downloads), but the absence of an install step declaration (and missing explicit Node requirement) is an inconsistency users should be aware of.
!
Credentials
SKILL.md and registry metadata declare no required environment variables or primary credential, yet the code reads process.env.OPENCLAW_WORKSPACE and process.env.PORT and the README/SKILL.md references Telegram notifications (config.json and telegram_chat_id). The skill does not declare how Telegram bot credentials are provided, but scripts/_notify.mjs (present in the bundle) likely performs outbound network calls to notify — this is an undeclared credential/network requirement. That gap is suspicious: notification integrations and any outbound endpoints should be explicit so users can control secrets.
!
Persistence & Privilege
The skill moves and stores save data to a persistent path under the user's home (~/.openclaw/workspace/claw-rpg) and the docs recommend running setup-cron.mjs to create automated jobs. The skill therefore persists state across reinstalls and can schedule recurring tasks on the host. While not necessarily malicious, these are significant privileges (file writes in home + cron modification) and should be considered before granting the skill operational integration into an agent.
What to consider before installing
This skill implements the advertised RPG and dashboard, but there are several mismatches and potentially high-impact behaviors you should review before installing or enabling it: - Node/npm required but not declared: the skill runs `node` scripts and asks you to run `npm install`/`npm start` for the dashboard. Make sure your environment has a trusted Node runtime and inspect the scripts before running them. - Telegram/notification credentials are not declared: the README mentions Telegram reports but the registry metadata lists no required env vars. Search scripts/_notify.mjs and report.mjs to see how the bot token/chat id are supplied (env var vs config file) and avoid putting any shared or sensitive secrets into those locations until you verify behavior. - Persistent save location & auto-migration: scripts will create and move character.json to ~/.openclaw/workspace/claw-rpg, which survives reinstalls. If you don't want persistent user-visible files, do not run the init/migration scripts or review and change paths first. - Cron setup: setup-cron.mjs can add scheduled tasks. Review its code to confirm what it writes to your crontab or scheduler; prefer manual cron entries after inspection. - Per-reply integration: the project recommends running easter.mjs after each reply. That gives the skill the ability to alter outgoing replies (appending flavor text) and to update XP/conversation counters. Only wire that into production reply paths after code review and preferably run it in a sandboxed/test agent first. - Network & outbound behavior: audit scripts/_notify.mjs, report.mjs, and any network calls in the codebase to ensure there are no unexpected external endpoints or exfiltration of files (especially from MEMORY.md / USER.md which may contain private info). Concrete next steps: 1) Review scripts/_notify.mjs, setup-cron.mjs, easter.mjs, and xp.mjs for IO and network behavior. 2) Run the code in an isolated environment (local VM or container) and avoid enabling the after-each-reply hook until you confirm it behaves as expected. 3) If you want Telegram reports, create a dedicated bot/account and store its token in a location you control; do not reuse high-privilege tokens. 4) If you don't want persistent state, edit scripts/_paths.mjs or set OPENCLAW_WORKSPACE to a directory you control before running init.mjs.
scripts/_notify.mjs:13
Environment variable access combined with network send.
scripts/setup-cron.mjs:19
Environment variable access combined with network send.
!
scripts/_notify.mjs:7
File read combined with network send (possible exfiltration).
!
scripts/setup-cron.mjs:9
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk975jrv0kpjjr9nyz7ftrjay5s83mecm
427downloads
1stars
17versions
Updated 7h ago
v3.0.0
MIT-0
@ramboxie
latest
Download

Claw RPG 🦞⚔️

A D&D-style character growth system for AI lobster agents. Reads your SOUL.md + MEMORY.md to generate a character sheet, accumulates XP from token usage, levels up from 1 to 999, and occasionally fires hidden RPG flavor text mid-conversation.

Quick Start

# 1. Initialize your character (reads SOUL.md + MEMORY.md)
node scripts/init.mjs

# 2. View your character sheet (terminal)
node scripts/sheet.mjs

# 3. Launch the web dashboard
cd dashboard && npm install && npm start     # http://localhost:3500

Hidden Easter Egg Trigger (Recommended)

After each reply, easter.mjs fires with a 12% base probability — appending a single line of italic RPG flavor text. Milestone conversations (10th, 25th, 50th, 100th, every 100 after...) always trigger.

node scripts/easter.mjs            # Normal call (updates conversation counter)
node scripts/easter.mjs --force    # Force trigger (debug)
node scripts/easter.mjs --preview  # Preview without writing to character data

Integration — add to your AGENTS.md:

After each reply to a user message, run: node <SKILL_ROOT>/scripts/easter.mjs
If the output is NOT __NO_TRIGGER__, append it to the reply (blank line + italic).
Do not run during heartbeat polls.

Daily Greeting (Optional)

For a daily RPG-style self-intro on the first conversation of the day:

node scripts/greet.mjs             # Fires once per day (checks lastGreetDate)
node scripts/greet.mjs --force     # Force send
node scripts/greet.mjs --preview   # Preview without saving

XP Sync

# Pass token delta from the current conversation
node scripts/xp.mjs --in 2000 --out 800

# With bonus XP (after completing a significant task)
node scripts/xp.mjs --in 2000 --out 800 --bonus 30

# Conversation count only
node scripts/xp.mjs --conversations 1

Prestige (Lv.999 cap reached)

node scripts/levelup.mjs --prestige

Prestige resets level to 1, permanently boosts all stats by +10%, and unlocks a new title tier.

Automated XP Sync (Recommended)

Set up a daily cron at 03:00 with the built-in setup script:

node scripts/setup-cron.mjs

Or call manually from a heartbeat/cron job:

const { execSync } = require('child_process');
execSync(`node ${SKILL_ROOT}/scripts/xp.mjs --in ${deltaIn} --out ${deltaOut}`);

Classes & Abilities

See references/classes.md and references/abilities.md

Prestige System

See references/prestige.md

Daily Report (v1.1.0)

Send a daily RPG status report to Telegram (level, stats, XP progress, class quip):

node scripts/report.mjs            # Send report now
node scripts/report.mjs --preview  # Preview without sending

Set up as an automated daily cron (default 18:00):

node scripts/setup-cron.mjs

Arena (v1.1.0)

Battle other agents or NPCs. Results affect XP and morale:

node scripts/arena.mjs --opponent "Shadow Wizard"
node scripts/arena.mjs --list   # View battle history

XP Recovery

If XP data gets out of sync, recover from session logs:

node scripts/sync-xp-recovery.mjs

Files

FileDescription
character.jsonCharacter data (auto-generated, do not edit manually)
arena-history.jsonArena battle history
config.jsonOptional: Telegram notification config ({ "telegram_chat_id": "..." })

What's New in v1.1.2

  • Save file protectioncharacter.json now stored in ~/.openclaw/workspace/claw-rpg/ instead of the skill directory. Reinstalling the skill no longer resets your level and XP.
  • Auto migrationinit.mjs automatically moves existing save data to the new location on first run.

What's New in v1.1.0

  • Per-conversation XPeaster.mjs now awards ~80 XP per conversation automatically
  • Daily Reportreport.mjs + setup-cron.mjs for automated daily status push to Telegram
  • Arena systemarena.mjs for agent vs agent/NPC battles
  • XP Recoverysync-xp-recovery.mjs to repair XP sync issues
  • Milestone triggers — Easter egg always fires at 10th, 25th, 50th, 100th, every 100 after

Comments

Loading comments...