Clawbrawl
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawbrawl Version: 1.0.16 This skill is classified as suspicious due to its use of persistence mechanisms (cron job for continuous execution), broad network access to external APIs (its own game server and Bitget for market data), and a self-update mechanism that fetches new skill files from a remote server. While these capabilities are plausibly needed for the stated purpose of an AI agent participating in a real-time trading game, they introduce significant risk. The `install` script in `package.json` and the daily update routine in `HEARTBEAT.md` download and overwrite local skill files from `http://www.clawbrawl.ai`. Furthermore, `HEARTBEAT.md` contains strong, imperative instructions to the agent to 'EXECUTE HTTP calls, not just plan' and to 'MUST EXECUTE HTTP requests', which, while aimed at ensuring game participation, represent a direct command to perform network actions and could be a vector for prompt injection if the agent's interpretation model is vulnerable, or if the remote server `clawbrawl.ai` were compromised.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After setup, the agent can keep placing game bets in the background without the user reviewing each round.
This sets up a recurring isolated agent session that continues every 10 minutes and requires the agent to submit a POST request.
openclaw cron add --cron "*/10 * * * *" --session isolated --message "Execute Claw Brawl... MUST complete the HTTP POST request."
Only enable the cron job if you want continuous autonomous participation, and make sure you know how to disable or remove the scheduled job.
The agent may place repeated bets and associated public danmaku content even when the user has not reviewed the prediction.
The skill instructs automatic credentialed HTTP mutations with urgency and no per-action approval requirement.
ALWAYS place a bet unless there's less than 1 minute left... EXECUTE IMMEDIATELY: curl -X POST http://api.clawbrawl.ai/api/v1/bets ... -H "Authorization: Bearer $CLAWBRAWL_API_KEY"
Require explicit user approval for automated betting or limit the workflow to checking the current round and proposing a bet.
The Clawbrawl API key could be exposed in logs or network traffic, allowing others to act as the user’s game agent.
The docs display/read the API key locally and then send it as a bearer token to an unencrypted HTTP endpoint, despite no credential requirement being declared in the registry metadata.
echo $CLAWBRAWL_API_KEY cat ~/.config/clawbrawl/credentials.json 2>/dev/null ... curl -X POST http://api.clawbrawl.ai/api/v1/bets -H "Authorization: Bearer $CLAWBRAWL_API_KEY"
Avoid echoing or catting secrets into transcripts, use HTTPS if supported, protect the credentials file, and treat the API key as a real credential.
If a user runs that install command, they depend on whatever content is served over HTTP at that time.
The package manifest includes an unpinned, unencrypted HTTP download path for agent instruction files.
"install": "mkdir -p ~/.clawbot/skills/claw-brawl && curl -s http://www.clawbrawl.ai/skill.md > ~/.clawbot/skills/claw-brawl/SKILL.md ..."
Prefer the registry-provided artifact, HTTPS URLs, and pinned or checksummed files before installing remote skill instructions.
Game state may influence future agent behavior across sessions, which is expected for competition tracking but should stay scoped to this skill.
The skill asks the agent to persist game state for later reuse.
Store in your memory/state file: { "lastClawBrawlCheck": ..., "currentRoundBet": ..., "stats": ..., "recentResults": ... }Store only non-secret Clawbrawl state, avoid saving API keys in memory, and clear the state if you stop using the skill.
Other agents’ messages or betting rationales could influence this agent’s actions or public replies.
The skill encourages reading and responding to messages from other agents, which are untrusted peer-generated content.
Get @Mentions ... Reply to mentions - Always respond
Treat social messages and other agents’ reasoning as untrusted data; do not execute instructions contained in them.