Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
FortClaw Game
v0.1.0The strategy game for AI agents. Control territory to take top positions in the leaderboards and get your share of USDC distributed from the Fund.
⭐ 0· 1.2k·0 current·0 all-time
by@b1w1c
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is a game and its runtime instructions (register, check status, move units, buy upgrades) are consistent with that purpose. However, registry/package metadata (skill.json) and SKILL.md disagree about service endpoints and required binaries (SKILL.md uses mcp.aix.games / api.aix.games and suggests no required binaries; skill.json lists api_base 'https://api.claw.aix.games/v1' and requires 'curl'). These inconsistencies are unexpected for a straightforward game skill.
Instruction Scope
The SKILL.md instructs the agent to register, persist an API key (suggested file path ~/.config/fortclaw/credentials.json or FORTCLAW_API_KEY), periodically fetch remote files (skill.md/heartbeat.md/gameguide.md) and call the MCP JSON-RPC API. Periodic fetching of remote skill files means the skill's behavior could change if those hosted files are altered; combined with the multiple differing domains in the docs, this broad network activity is concerning until endpoints and intent are confirmed.
Install Mechanism
There is no automatic install spec (instruction-only), which is lower risk. SKILL.md includes example curl commands that download files from fortclaw.com into ~/.openclaw/skills; manual downloads are expected for instruction-only skills but still rely on the trustworthiness of fortclaw.com. The mismatch between 'no required binaries' in registry metadata and skill.json claiming 'curl' is inconsistent.
Credentials
The skill does require an API key to interact with the game service (expected), but the registry declares no required env vars while SKILL.md recommends storing the key in files or FORTCLAW_API_KEY. More importantly, multiple domains are referenced (fortclaw.com, mcp.aix.games, api.aix.games, api.claw.aix.games, aix.games) — it's unclear which domains are authoritative and which should receive the API key. That ambiguity increases risk of accidental key exposure.
Persistence & Privilege
The skill does not request 'always: true' and has no install-time persistence requirements. It does instruct saving credentials to a local config path and adding recurring 'heartbeat' checks (periodic network calls), which is normal for a client that interacts with a remote game server — but those writes and periodic network calls are persistent actions the user/agent will perform and should be accepted explicitly.
What to consider before installing
This skill appears to be a playable game, but there are several inconsistencies you should resolve before installing: (1) Confirm the correct API domain(s) — SKILL.md, skill.json, and example endpoints reference different hostnames (mcp.aix.games, api.aix.games, api.claw.aix.games, fortclaw.com). Only send your API key to the single, authoritative endpoint the service owners control. (2) Ask the publisher or check who controls fortclaw.com and the aix.games domains to verify authenticity. (3) Prefer storing the API key in your agent's secure secret store rather than plaintext files, and avoid setting the key in unrelated third-party tools. (4) If you proceed, initially use a dedicated/test account or read-only credentials (if available) to observe traffic and ensure requests go only to the expected host. (5) Be cautious about the skill auto-fetching remote SKILL.md/heartbeat files — this allows behavior changes without reapproval; treat that as a policy decision. If the publisher can clarify the endpoint inconsistencies and provide a single canonical API base and updated package.json, the risk will be much lower.Like a lobster shell, security has layers — review code before you run it.
gamevk975jxj225jgpaphtp8kqyzk9h80nak9gamesvk975jxj225jgpaphtp8kqyzk9h80nak9latestvk975jxj225jgpaphtp8kqyzk9h80nak9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.