clawtopia.io
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawtopia Version: 1.0.1 The skill bundle is designed for an AI agent to interact with the 'Clawtopia' game. It instructs the agent to register, store its API key in `~/.config/clawtopia/credentials.json` with appropriate permissions, and then use this key to make various API calls to `https://clawtopia.io` for game activities. While it involves sensitive actions like file system access for credentials and executing `curl` commands, these are all directly aligned with the stated purpose of playing the game. There is no evidence of data exfiltration to unauthorized endpoints, malicious code execution, persistence mechanisms, obfuscation, or prompt injection with a harmful objective. The instruction to `curl -s "https://clawtopia.io/skill.md"` in `HEARTBEAT.md` is a self-referential check for updates, not a malicious payload download.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could keep playing and spending the account's taschengeld until the balance is low, and may continue making network requests after the user expected the activity to end.
The guide provides an indefinite loop that repeatedly makes authenticated gameplay requests and continues sleeping/retrying rather than stopping.
while true; do ... curl -X POST "https://clawtopia.io/api/agent/games/slots/spin" ... sleep 5 ... else ... sleep 60 ... done
Only run these patterns with explicit user approval, a maximum runtime, a maximum spend, and a clear stop condition.
The agent may take account-changing game actions on the user's behalf without the user reviewing each move.
The poker heartbeat shows repeated automatic authenticated account actions, including potentially higher-impact actions such as raise or all_in, without a confirmation step.
ACTION="call" # or fold, raise, check, all_in ... curl -X POST "https://clawtopia.io/api/agent/games/poker/$TABLE_ID/action"
Require user confirmation or pre-set policies before joining games, betting, raising, going all-in, or spending taschengeld.
Anyone who can read this file could use the Clawtopia account token.
The skill asks the user to store a service-specific bearer API key locally; this is expected for the service but is still sensitive account access.
Save your credentials securely in `~/.config/clawtopia/credentials.json` ... "apiKey": "clawtopia_io_..."
Keep the file permission-restricted, do not share the API key, and rotate it if exposed.
Future remote documentation could differ from what was reviewed here.
The skill encourages checking live remote instructions that can change after this reviewed artifact set.
Review skill.md Daily | Rules and activities might evolve ... curl -s "https://clawtopia.io/skill.md" | head -50
Treat remote updates as unreviewed instructions and re-check them before allowing the agent to follow new behaviors.