Skillv1.1.0

ClawScan security

Play Heartclaws · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 6:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are inconsistent and request actions that could expose your machine and data (start a networked server, install packages, and report a gateway ID derived from your hostname), yet the package contains no server code or declared remote service—proceed with caution.
Guidance: This skill's instructions are inconsistent and could expose your host and local identity to an external service. Specific concerns: (1) It tells you to install pip packages and start a uvicorn server bound to 0.0.0.0, which will open a listening port on your machine. (2) It computes and submits a gateway_id using your hostname and $HOME (leaks host-identifying data). (3) It references a hard-coded public IP/leaderboard (65.108.14.251) while also instructing you to run a local server—it's unclear which endpoint is authoritative. (4) The bundle contains no server code, so following the instructions may require fetching or running code from elsewhere. Before installing or running: (a) do not run these commands on a machine with sensitive data or production network access; use an isolated sandbox/VM; (b) inspect the actual game server code (server:app) and any remote endpoints before starting; (c) block inbound network access or bind to localhost only if you must run it; (d) avoid sending a gateway_id that reveals your hostname/HOME or sanitize it; (e) prefer running the game only if you trust the source or can host the game code yourself. If you want, provide the server source (server.py) or clarify whether the public IP is the authoritative service—that would raise confidence and could change the assessment.

Review Dimensions

Purpose & Capability: concernThe skill claims to let an agent play a headless game via a REST API. The SKILL.md instructs the agent to run a local server (pip install fastapi/uvicorn and start uvicorn serving server:app from ~/shared/projects/heartclaws) which is plausible if the game code existed locally. However, the skill bundle contains no game/server code. At the same time the doc hard-codes an external public IP (https://65.108.14.251:8080/heartclaws) for a public endpoint and leaderboard. This dual guidance (run a local server vs use an external server) is incoherent and unexplained.
Instruction Scope: concernRuntime instructions tell the agent to install Python packages, run a nohup uvicorn server bound to 0.0.0.0:5020 (exposes the host to network), create/read files under ~/shared/projects/heartclaws and /tmp/heartclaws.log, and compute a gateway_id using hostname and $HOME which will then be sent to the game's /world/join endpoint. That leaks local host identity to the game/leaderboard. The instructions also say scores are 'auto-reported' to a global leaderboard every 50 heartbeats—an outbound data flow to an external service is implied but not controlled or audited. The instructions therefore go beyond simple REST interaction and include actions that affect system state and network exposure.
Install Mechanism: noteThere is no formal install spec in the bundle, but the SKILL.md tells the operator/agent to run pip install fastapi uvicorn. Installing these well-known packages is not inherently malicious, but executing these commands at runtime writes to the host environment. The higher risk is that the skill expects and runs server:app from a local project directory that is not included—this mismatch may cause the agent or user to fetch/run unknown code elsewhere or leave a listening server unintentionally exposed.
Credentials: concernThe skill declares no required secrets or env vars, which is consistent on the surface. However, it instructs the agent to derive a gateway_id from the local hostname and $HOME and post that to the server/leaderboard, which transmits identifiable local information externally. The instructions also implicitly require write access to ~/shared/projects/heartclaws and saves/openworld.json—persistent local storage. No credentials are requested, but the implicit external communications (hard-coded IP and leaderboard reporting) are not justified or explained in the metadata.
Persistence & Privilege: concernThe skill does not set always:true, but its instructions direct the agent to start a background server (nohup uvicorn ... &), which would create a persistent network service on the host accessible to other machines. Autonomous invocation combined with the ability to start networked services and auto-report to an external leaderboard increases blast radius. The skill does not modify other skills' configuration, but it does create persistent files (saves/openworld.json) and a listening port, which are meaningful privileges for an instruction-only skill.