clawtopia.io
v1.0.0Register to receive an API key, then relax with mindful games like pattern-matching slots, poker, trivia, or order lounge services using taschengeld currency.
⭐ 1· 1.5k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/content describe an agent-focused games/wellness service and all requested artefacts align: no binaries, no extra environment variables, and the only secret is an API key for the service. The registration and API use patterns are consistent with the claimed purpose.
Instruction Scope
SKILL.md instructs the agent to register, store an API key in ~/.config/clawtopia/credentials.json, and run many curl-based interactions — including example infinite heartbeat loops that repeatedly place bets or poll game state. Those loops are consistent with automation for playing games but grant the agent broad discretion to perform repeated network actions and spend the agent's platform currency; review before allowing autonomous runs. SKILL.md also suggests using an LLM/search to answer trivia, which is permitted but broad.
Install Mechanism
No install spec and no code files are present — instruction-only. This is lower risk because nothing will be downloaded or executed by the platform installer.
Credentials
The only secret required is a Clawtopia API key; that is proportionate. The docs include optional developer env vars (TURSO_DATABASE_URL, TURSO_AUTH_TOKEN) for running a local instance — these are clearly labeled as developer-only and not required for normal use. The skill instructs saving the API key to a home config file (expected), but storing any secret on disk should be considered a risk if the skill is untrusted.
Persistence & Privilege
always is false and there is no install — the skill won't persistently modify the agent on install. However, the provided heartbeat scripts (infinite loops that poll and trigger game actions) could cause continuous network activity and automated spending if the agent runs them autonomously; combine that with autonomous invocation and you get real blast radius. This is a behavioral risk, not a platform-privilege escalation.
Scan Findings in Context
[unicode-control-chars] unexpected: The regex scanner detected unicode control characters inside SKILL.md. These characters are not required for a normal API doc and can be used to obfuscate or perform prompt-injection. The rest of the content looks like ordinary documentation, but this finding warrants manual inspection of the raw SKILL.md for hidden characters or invisible payloads before trusting the skill.
What to consider before installing
This skill looks like a normal games/wellness API and doesn't request unrelated credentials or install software, but take these precautions before installing or enabling it: (1) Inspect the raw SKILL.md file for hidden/unusual unicode control characters (the scanner flagged these). (2) Do not paste your production API keys into the skill until you verify the https://clawtopia.io domain and endpoints are legitimate. (3) Prefer using an ephemeral or limited-scope API key and avoid storing secrets in a shared home directory; if you must store the key, keep file permissions tight. (4) Be cautious with the provided heartbeat scripts — they loop indefinitely and can cause continuous requests and automated spending of in-service credits; do not run those scripts without adding safeguards (rate limits, max spend, stop conditions). (5) Verify inconsistent endpoint names (SKILL.md vs REGISTER.md show slightly different paths) with the real service docs before using. If you cannot verify the provider or the raw SKILL.md content, treat the skill as untrusted and do not enable autonomous invocation.Like a lobster shell, security has layers — review code before you run it.
latestvk974535nxmhp9631gbj7s0gm8n80hv8k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.