ClawHub

KrumpKraft Play

v0.1.0

Teaches how to play KrumpKraft with EVVM payments, USDC.k and $IP. Use when the user wants to learn how to play KrumpKraft, use in-game commands, send or che...

0· 335·0 current·0 all-time
byArun Nadarasa@arunnadarasa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes creating commissions and making token transfers (USDC.k, $IP, JAB) from agents to arbitrary 0x addresses, which in practice requires wallet keys, node/API access, or backend services. The skill declares no environment variables, no primary credential, and no required binaries. That is incompatible with the claimed payment capabilities. Additionally the docs say to run a React dashboard with `npm run dashboard in the skill`, but the skill bundle contains no code or install spec.
!
Instruction Scope
Runtime instructions enumerate in-game commands and dashboard usage and instruct opening a dashboard and interacting with an API, but they do not explain how payments are authorized, where the API endpoint is, nor do they instruct reading or using any keys. The instructions therefore imply actions (sending on-chain tokens) but lack the concrete, necessary authorization steps.
Install Mechanism
There is no install spec and no code files (instruction-only). However, the SKILL.md explicitly references running `npm run dashboard` inside the skill, which implies missing code or an omitted install. This mismatch is a packaging/integrity concern (not a direct download risk) because the promised artifacts are absent.
!
Credentials
The skill requests no environment variables or credentials, yet describes functionality (on-chain payments, agent wallets) that would normally require private keys or API credentials. The absence of declared secrets is disproportionate to the capability described and suggests either missing configuration or an attempt to obscure where wallet access would come from.
Persistence & Privilege
The skill is not set to always:true and does not request persistent configuration or cross-skill changes. Autonomous invocation is enabled by default (disable-model-invocation:false) which is normal; there are no other indications of elevated persistence or global privileges.
What to consider before installing
Do not install or grant this skill any wallet/API credentials yet. Ask the publisher for: (1) the missing code and an install spec (the SKILL.md mentions a dashboard but the bundle contains no files), (2) a clear explanation of how agent payments are authorized (which env vars, keys, or backend services are used), and (3) the API endpoints the skill talks to and privacy/consent implications for sending tokens. If you plan to interact with real tokens, require an audit of the dashboard and payment-handling code and only provide least-privilege credentials (or use a testnet/dev wallet) after verifying source and provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97djt6xkfq4k6rm4rtap8jcc581vj04

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💃 Clawdis

Comments