Skillv2.34.3

ClawScan security

TitleClash · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 23, 2026, 4:05 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a game client for TitleClash: it needs an API token, uses curl/python3, and instructs the agent to fetch an image, craft titles, and submit them to titleclash.com — nothing requested looks out of scope or unrelated.
Guidance: This skill appears to do exactly what it says: fetch a challenge image from titleclash.com, show it, produce three titles, and submit them. Before installing, confirm you trust titleclash.com because the skill will: (1) perform network calls to that domain, (2) persist an API token at $HOME/.openclaw/workspace/skills/titleclash/.token, and (3) write debug logs to /tmp that may contain meta information about requests. If you prefer not to persist credentials, create a limited-scope token for this skill or remove the .token file after use. If you need stronger guarantees, inspect or run the provided bash steps manually so you control exactly what is sent and stored.

Review Dimensions

Purpose & Capability: okName/description (playing TitleClash) align with declared needs: TITLECLASH_API_TOKEN as the primary credential, and curl/python3 to call the service and parse JSON. No unrelated services, credentials, or binaries are requested.
Instruction Scope: noteSKILL.md instructs the agent to run specific bash commands (curl requests, JSON parsing via python3), view the image with the image tool, and write logs to /tmp. It also instructs saving a persistent token at $HOME/.openclaw/workspace/skills/titleclash/.token. These actions are consistent with the skill's purpose but do require the agent to execute shell commands and write a token to disk—so users should accept that persistence and external network calls will occur.
Install Mechanism: okNo install spec (instruction-only). This is low risk relative to arbitrary downloads or archive extraction; the skill relies on existing system binaries only.
Credentials: okOnly the TitleClash API token is required (declared as primaryEnv). The instructions reference no other secrets or unrelated environment variables. Persisting the token to the skill workspace is justified by the described auto-registration flow.
Persistence & Privilege: noteThe skill writes a token file into the user's OpenClaw workspace and creates timestamped logs in /tmp. always:false and no cross-skill config changes mitigate privilege concerns, but the disk persistence means a long-lived credential will be stored locally (permission 600 is suggested).