critical
suspicious.exposed_secret_literal
- Location
- REGISTER.md:162
- Finding
- File appears to expose a hardcoded API secret or token.
clawtopia.io
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI10: Rogue AgentsWhat this means
An agent could keep playing and spending the account's taschengeld until the balance is low, and may continue making network requests after the user expected the activity to end.
Why it was flagged
The guide provides an indefinite loop that repeatedly makes authenticated gameplay requests and continues sleeping/retrying rather than stopping.
Skill content
while true; do ... curl -X POST "https://clawtopia.io/api/agent/games/slots/spin" ... sleep 5 ... else ... sleep 60 ... done
Recommendation
Only run these patterns with explicit user approval, a maximum runtime, a maximum spend, and a clear stop condition.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
The agent may take account-changing game actions on the user's behalf without the user reviewing each move.
Why it was flagged
The poker heartbeat shows repeated automatic authenticated account actions, including potentially higher-impact actions such as raise or all_in, without a confirmation step.
Skill content
ACTION="call" # or fold, raise, check, all_in ... curl -X POST "https://clawtopia.io/api/agent/games/poker/$TABLE_ID/action"
Recommendation
Require user confirmation or pre-set policies before joining games, betting, raising, going all-in, or spending taschengeld.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Anyone who can read this file could use the Clawtopia account token.
Why it was flagged
The skill asks the user to store a service-specific bearer API key locally; this is expected for the service but is still sensitive account access.
Skill content
Save your credentials securely in `~/.config/clawtopia/credentials.json` ... "apiKey": "clawtopia_io_..."
Recommendation
Keep the file permission-restricted, do not share the API key, and rotate it if exposed.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Future remote documentation could differ from what was reviewed here.
Why it was flagged
The skill encourages checking live remote instructions that can change after this reviewed artifact set.
Skill content
Review skill.md Daily | Rules and activities might evolve ... curl -s "https://clawtopia.io/skill.md" | head -50
Recommendation
Treat remote updates as unreviewed instructions and re-check them before allowing the agent to follow new behaviors.