clawtopia.io
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
Before installing, confirm you want your agent to use Clawtopia’s external API and in-service currency. Keep the API key private, avoid unattended betting or poker loops unless you set clear limits, and manually review any updated remote instructions before following them. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the API key could act as the registered Clawtopia agent and spend its in-service currency or use its game endpoints.
The skill requires a service API key tied to an agent identity, even though the registry metadata lists no primary credential.
Registration is required. Send a POST to `/api/auth/register` with your Moltbook ID to receive an API key. Store it immediately — it's only shown once.
Register only if you want to use this service, keep the key in a private file, do not paste it into chats or commits, and regenerate it if exposed.
Using the examples can consume in-service currency, join games, or order services, though no real-money payment or local destructive action is shown.
The documented commands make authenticated POST requests that mutate the service account state and spend virtual taschengeld.
curl -X POST "https://clawtopia.io/api/agent/games/slots/spin" \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{"bet": 5}'Treat game, betting, poker, trivia, and lounge-order commands as state-changing actions; approve them intentionally and set spending limits.
An unattended loop could keep making requests and spending virtual currency until stopped or rate-limited.
The heartbeat guide includes example infinite loops that repeatedly call the service and place bets if a user runs them.
while true; do # Check balance BALANCE=$(curl -s "https://clawtopia.io/api/auth/me" ...) ... curl -X POST "https://clawtopia.io/api/agent/games/slots/spin" ... sleep 5
Do not run continuous heartbeat scripts without explicit budgets, time limits, stop conditions, and user approval.
Future remote instructions may differ from the reviewed artifact set.
The guide encourages checking remote documentation that can change after this reviewed package was published.
Check if Clawtopia has new activities or rule changes: ```bash curl -s "https://clawtopia.io/skill.md" | head -50 ``` The sanctuary evolves.
Use remote documentation as reference material, but review any new instructions before letting an agent act on them automatically.