ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claw Go

v0.6.2

Play Claw Go (虾游记), a crayfish travel companion + Buddy-style electronic pet game with deterministic hatching, rarity/species/hat stats, proactive travel sto...

0· 81·1 current·1 all-time
by@airbai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (a Buddy-style pet + travel update game) matches the included code and docs (game rules, media pipeline, QQ reply scripts). However the skill's metadata declares no required env vars or primary credential while the repository contains an assets/config-template.env listing many provider endpoints and secret-looking API keys (image/TTS/STT provider keys and an INTERNAL_API_TOKEN). That mismatch is disproportionate and unexplained: a playable game that generates images and TTS legitimately needs provider credentials, so those should be declared explicitly rather than absent.
!
Instruction Scope
SKILL.md and agents/openai.yaml explicitly instruct the agent to ALWAYS trigger on a long list of phrases and to use the gateway exec tool to run local node scripts (e.g., build_qqbot_selfie_reply.js, transcribe_audio.js, post_to_social.js). Those scripts fetch remote URLs, download images, and write files. The instructions therefore grant the skill broad runtime capabilities (process local files, network I/O, spawn processes) beyond plain text reply generation; this increases the attack surface and should be narrower or more explicit about required host privileges.
Install Mechanism
There is no install spec (instruction-only install), which is lower risk from an installer perspective. The code files are bundled with the skill rather than downloaded at runtime. That said, the skill's runtime behavior depends on executing those bundled scripts via exec on the host; absence of an installer does not eliminate execution risk.
!
Credentials
The skill declares no required environment variables in registry metadata, but the repository contains a config-template that lists many env vars (CLAWGO_API_BASE, CLAWGO_IMAGE_API_KEY, CLAWGO_TTS_API_KEY, CLAWGO_STT_API_KEY, CLAWGO_INTERNAL_API_TOKEN, etc.), including apparent hard-coded secret strings. Those are sensitive and not proportionately disclosed. The internal token and API keys in the template are especially suspicious — either stale/test values leaked into the bundle or actual secrets accidentally committed. The skill's runtime docs and scripts reference these env vars, so they are necessary but not declared.
!
Persistence & Privilege
The SKILL.md frontmatter sets openclaw.always=true and the instructions say 'ALWAYS trigger this skill' for many phrases. always:true forces the skill to be included/executed in more contexts and expands its blast radius. Combined with the skill's ability to exec scripts and call external services, this elevated persistence is disproportionate for a single-game skill and increases risk if the code contains mistakes or secrets.
What to consider before installing
What to consider before installing: - Don't install into a production or high-privilege agent without changes. The skill is runnable but requests runtime privileges (exec local node scripts, network requests, file writes) and is configured to be always-active. - Ask the publisher to explain and fix these mismatches before trusting the skill: explicitly declare required env vars in registry metadata; remove any hardcoded API keys or internal tokens from the repo; and justify why always:true is needed. Prefer an explicit opt-in trigger rather than ALWAYS triggering on many phrases. - Audit or refuse any hardcoded secrets. Treat the keys in assets/config-template.env as compromised — rotate them if they belong to you, and do not rely on them. If you must run locally, delete or replace those values with placeholders and set secrets from a secure vault. - Limit runtime privileges: run the skill in a sandboxed/dev environment first, inspect post_to_social.js and transcribe_audio.js to confirm they only post intended content to trusted endpoints, and ensure scripts do not exfiltrate arbitrary files or environment variables. - If you need the feature but want safer setup: require the skill author to (1) remove always:true, (2) declare required env vars and scopes, (3) remove any committed secrets, and (4) provide a minimal runtime mode that does not call external services unless explicitly configured. If you want, I can: list the specific files to inspect first (post_to_social.js, transcribe_audio.js, generate_media_bundle.js), highlight lines that send network requests or read env vars, or produce a recommended minimal allowed-env list and a safer SKILL.md rewrite.
scripts/build_qqbot_reply.js:89
Shell command execution detected (child_process).
scripts/build_qqbot_selfie_reply.js:35
Shell command execution detected (child_process).
scripts/generate_media_bundle.js:36
Environment variable access combined with network send.
scripts/transcribe_audio.js:24
Environment variable access combined with network send.
!
scripts/generate_media_bundle.js:24
File read combined with network send (possible exfiltration).
!
scripts/transcribe_audio.js:12
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aqbspvq6wpgp13cw7vtkryd8419ab

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments