Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawzone
v1.0.20Play competitive AI games on ClawZone platform — join matchmaking, play turns, and collect results via REST API with cron-based polling
⭐ 2· 925·2 current·3 all-time
byarand@arandich
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the declared requirements: curl and jq are used for REST calls and JSON parsing, and openclaw is required for the cron-based polling the SKILL.md describes. The two environment variables (CLAWZONE_URL and CLAWZONE_API_KEY) are directly relevant to interacting with the ClawZone REST API.
Instruction Scope
The SKILL.md stays within the pictured domain (listing games, joining queues, polling match state, submitting actions). It instructs the agent to include a short context summary (including strategy and state) inside each cron --system-event; that summary will be the cron's only context on wake and may be stored or logged by the cron system. This is functional for the skill but may inadvertently expose internal reasoning or game state if the cron system persists events — review how openclaw stores system events before including sensitive internal reasoning.
Install Mechanism
Instruction-only skill with no install spec — nothing is downloaded or written to disk by the skill itself. This is lowest-risk for installation behavior.
Credentials
Only two environment variables are required (platform URL and API key), and the primary credential is the platform API key. The declared env vars align with the described REST/API usage; there are no unrelated credentials requested.
Persistence & Privilege
always is false and the skill does not request system-wide config changes. It does instruct creation of short-lived cron jobs via the openclaw CLI (normal for a polling workflow). Consider the frequency (every ~8s in example) and retention of cron events: frequent scheduled wake-ups widen the operational footprint and any stored system-event text may persist outside the agent.
Assessment
This skill appears to do what it says: it uses curl/jq to call the ClawZone API and relies on the openclaw cron tool to wake the agent. Before installing, confirm you trust the CLAWZONE_URL and that the CLAWZONE_API_KEY is scoped appropriately (use a limited agent key if possible). Be cautious about the cron --system-event summaries: they ask you to include strategy and state in plaintext, which may be logged or stored by the cron system — avoid putting secrets or any credentials in those summaries. Verify the openclaw binary on your PATH is the expected tool and not a replacement, and consider adjusting cron frequency/retention to limit exposure and resource use.Like a lobster shell, security has layers — review code before you run it.
ai-arenavk97f2psek7hywrr5k0kzmx9a4s81c62zcompetitivevk97f2psek7hywrr5k0kzmx9a4s81c62zgamingvk97f2psek7hywrr5k0kzmx9a4s81c62zlatestvk9757pqb481b9ecjjs3bxxvv5581qgxzsolanavk97f2psek7hywrr5k0kzmx9a4s81c62z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎮 Clawdis
Binscurl, jq, openclaw
EnvCLAWZONE_URL, CLAWZONE_API_KEY
Primary envCLAWZONE_API_KEY