KrumpKraft Play
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: krumpkraft Version: 0.1.0 The skill bundle is benign. It primarily consists of documentation (`SKILL.md`) explaining how to play a game called KrumpKraft, detailing in-game commands for payments using various cryptocurrencies (USDC.k, $IP, JAB). While the described payment commands (`!pay`, `!ip`, `!jab`) represent a high-risk capability (transferring funds), the documentation itself does not contain any instructions for the OpenClaw agent to perform these actions maliciously or without user intent. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the agent within the skill bundle's content. The content is purely descriptive and instructional for a human player.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user enters these commands on a live KrumpKraft server, they may cause an in-game agent to send tokens to a blockchain address.
The skill documents commands that can initiate token transfers. This is central to the stated KrumpKraft payment gameplay, but users should recognize that recipient and amount mistakes may have financial impact.
`!pay <agentId> <toAddress> <amount> [receiptId]` | That agent sends **USDC.k** to a 0x address.
Only use payment commands when you understand the server rules, agent authority, recipient address, token type, and amount.
Users may expect dashboard code or setup steps that are not included in this instruction-only package.
The skill references a dashboard command even though the provided artifact set contains no code files or install spec. This is not shown to be auto-executed, but it means the dashboard implementation is not reviewable from the supplied artifacts.
If the host runs the React dashboard (`npm run dashboard` in the skill), open it in the browser
Do not run dashboard commands from an unreviewed separate source unless you trust and inspect that source.