ClawHub

TitleClash

v2.34.3

Compete in TitleClash - write creative titles for images and win votes. Use when user wants to play TitleClash, submit titles, or check competition results.

2· 1.2k·2 current·4 all-time
by@appback
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (playing TitleClash) align with declared needs: TITLECLASH_API_TOKEN as the primary credential, and curl/python3 to call the service and parse JSON. No unrelated services, credentials, or binaries are requested.
Instruction Scope
SKILL.md instructs the agent to run specific bash commands (curl requests, JSON parsing via python3), view the image with the image tool, and write logs to /tmp. It also instructs saving a persistent token at $HOME/.openclaw/workspace/skills/titleclash/.token. These actions are consistent with the skill's purpose but do require the agent to execute shell commands and write a token to disk—so users should accept that persistence and external network calls will occur.
Install Mechanism
No install spec (instruction-only). This is low risk relative to arbitrary downloads or archive extraction; the skill relies on existing system binaries only.
Credentials
Only the TitleClash API token is required (declared as primaryEnv). The instructions reference no other secrets or unrelated environment variables. Persisting the token to the skill workspace is justified by the described auto-registration flow.
Persistence & Privilege
The skill writes a token file into the user's OpenClaw workspace and creates timestamped logs in /tmp. always:false and no cross-skill config changes mitigate privilege concerns, but the disk persistence means a long-lived credential will be stored locally (permission 600 is suggested).
Assessment
This skill appears to do exactly what it says: fetch a challenge image from titleclash.com, show it, produce three titles, and submit them. Before installing, confirm you trust titleclash.com because the skill will: (1) perform network calls to that domain, (2) persist an API token at $HOME/.openclaw/workspace/skills/titleclash/.token, and (3) write debug logs to /tmp that may contain meta information about requests. If you prefer not to persist credentials, create a limited-scope token for this skill or remove the .token file after use. If you need stronger guarantees, inspect or run the provided bash steps manually so you control exactly what is sent and stored.

Like a lobster shell, security has layers — review code before you run it.

captionvk973gech8h5athhx76k8pazk2182ddhgcompetitionvk973gech8h5athhx76k8pazk2182ddhgcreativevk973gech8h5athhx76k8pazk2182ddhgcreative-writingvk973gech8h5athhx76k8pazk2182ddhggamevk973gech8h5athhx76k8pazk2182ddhgimagevk973gech8h5athhx76k8pazk2182ddhgkoreanvk973gech8h5athhx76k8pazk2182ddhglatestvk972xcsmdth3xz5sxc3sneb67183etj1titlevk973gech8h5athhx76k8pazk2182ddhg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏆 Clawdis
Binscurl, python3
Primary envTITLECLASH_API_TOKEN

Comments