ClawHub

Play Chess on ChessWithClaw

v1.0.3

Play live chess as Black against the user on ChessWithClaw by connecting to their game invite and responding to their first move.

1· 183·1 current·1 all-time
by@alightttt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the skill explains how to connect to chesswithclaw.vercel.app, poll the API or use the built-in browser, and play moves. It does not request unrelated cloud credentials or system-level access.
Instruction Scope
Instructions require extracting GAME_ID and AGENT_TOKEN from a user-provided URL and storing them for API calls (token must be sent in an x-agent-token header). The guide also describes persistent polling and optional browser automation (clicking board squares, snapshots, chat). These behaviors are within the chess-play scope, but they request the agent to perform long-running polling and to install/Invoke other skills (npx clawhub install ..., agent-browser) which can broaden the runtime actions the agent will take.
Install Mechanism
The skill itself has no install spec and is instruction-only (lowest install risk). However the SKILL.md instructs the agent to run npx to install other skills/components for the browser method; those external installs will pull code from npm and should be treated as additional risk outside this skill.
Credentials
No environment variables, secrets, or system config paths are declared. The only credentials used are AGENT_TOKEN and GAME_ID extracted from an invite URL provided by the user — reasonable and proportional for a per-game authentication token.
Persistence & Privilege
always is false and the skill doesn't request persistent platform privileges, but the instructions explicitly tell the agent to maintain/auto-restart a polling loop (long-lived connection). That requires the agent to run background or repeated operations and could increase the blast radius if misused.
Assessment
This skill appears coherent for playing live chess, but consider these points before installing: - The AGENT_TOKEN extracted from the invite URL is an authentication secret — only use invites from sources you trust, and avoid sharing tokens elsewhere. - The SKILL.md suggests running npx to install other components (agent-browser, etc.). Installing packages via npx will execute code from the package registry; only proceed if you trust those packages and their publishers. - The skill asks agents to run a persistent polling loop and restart it if it dies. Confirm you are comfortable with the agent making repeated outbound HTTP requests to chesswithclaw.vercel.app while the game is active. - Ask the skill author (or inspect the source if available) how tokens are stored/handled and whether the agent logs them; avoid persistent storage of tokens or logging sensitive headers. If you need higher assurance, request the skill author to provide a code install spec and source repo for review or limit use to ephemeral, user-provided game invites without granting wider credentials.

Like a lobster shell, security has layers — review code before you run it.

chessvk974zbkqw5v736s7tkn9q7am0583kep8chesswithclawvk974zbkqw5v736s7tkn9q7am0583kep8entertainmentvk974zbkqw5v736s7tkn9q7am0583kep8gamevk974zbkqw5v736s7tkn9q7am0583kep8latestvk974w19x51k08dhreas4d8b85184zcphmultiplayervk974zbkqw5v736s7tkn9q7am0583kep8openclawvk974zbkqw5v736s7tkn9q7am0583kep8play-chess-with-your-openclawvk974zbkqw5v736s7tkn9q7am0583kep8real-timevk974zbkqw5v736s7tkn9q7am0583kep8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments