Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Godot Skill
v1.2.7Control Godot Editor via OpenClaw Godot Plugin. Use for Godot game development tasks including scene management, node manipulation, input simulation, debugging, and editor control. Triggers on Godot-related requests like inspecting scenes, creating nodes, taking screenshots, testing gameplay, or controlling the editor.
⭐ 0· 2k·3 current·3 all-time
byTom Jaejoon Lee@tomleelive
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code and SKILL.md: the extension registers a local 'godot_execute' tool and HTTP endpoints (/godot/*) to relay commands between OpenClaw and a Godot editor instance. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
SKILL.md instructs the agent to use the 'godot_execute' tool and to run a local install script which copies the extension into ~/.openclaw/extensions/godot and restart the gateway. The runtime instructions operate within the Godot/editor domain (scene/node manipulation, input simulation, screenshots, reading scripts via the editor). There are no instructions to read unrelated system files or environment variables.
Install Mechanism
No network downloads or remote installers. The provided scripts/install-extension.sh merely copies the included extension/ files into the user's ~/.openclaw/extensions/godot directory. This is a low-risk, local install mechanism.
Credentials
The skill requires no environment variables, credentials, or external tokens. The plugin acts as a local gateway between OpenClaw and a Godot editor; requested permissions and file operations (copying extension files into the user's OpenClaw extension directory) are proportional to the stated function.
Persistence & Privilege
The skill is not force-included (always: false). Installing the extension places files in ~/.openclaw/extensions/godot and registers tools that the agent can invoke; model invocation is permitted by default (disableModelInvocation: false). This is expected for an integration but you may want to block autonomous invocation depending on trust.
Assessment
This skill is internally consistent with its stated purpose: it installs a local gateway extension and exposes a set of Godot-focused tools to the OpenClaw agent. Before installing: 1) Back up any active Godot projects (the README already advises this). 2) Confirm you trust the skill source (it references a GitHub repo but the package metadata shows no official homepage). 3) Be aware the extension exposes local HTTP endpoints under /godot/ and sets CORS to '*'; ensure your OpenClaw gateway is bound to localhost or protected by your firewall so remote sites cannot call these endpoints. 4) If you do not want the AI to autonomously control your editor, set disableModelInvocation/auto-invoke to true or require explicit user approval for tool calls. 5) Review the extension code yourself (index.ts) for any network calls or logging to external hosts before use; the provided code appears to keep traffic local and queue commands through a session mechanism, but you should verify the gateway binding and runtime behavior in your environment.Like a lobster shell, security has layers — review code before you run it.
latestvk973f7e81g2bcff3tye3k7j2s580y7ga
License
MIT-0
Free to use, modify, and redistribute. No attribution required.