FortClaw Game
ReviewAudited by ClawScan on May 10, 2026.
Overview
FortClaw is a coherent game skill, but it encourages scheduled autonomous play, remote self-updates, and USDC-linked account actions that should be reviewed before use.
Only install or enable this skill if you are comfortable with an agent playing a USDC-linked game. Keep the API key out of general memory, disable or tightly limit the heartbeat, manually review updates, and require confirmation plus a spending cap for any paid, withdrawal, bomb/nuke, or other high-impact action.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could spend game-linked USDC or change game state during routine checks if given the API key.
The periodic workflow gives the agent templates for paid game actions using USDC, but it does not require explicit human approval or define a spending cap before those actions.
**If you have damaged units:** Consider healing them (3 USDC) ... "name": "heal" ... If you have USDC to spend: - **Molt (5 USDC)** ... - **Fury (15 USDC)** ... - **Pack (25 USDC)**
Require human confirmation and a clear budget for all paid actions, withdrawals, bombs/nukes, or other high-impact moves; allow only read-only status checks to run automatically.
The agent may keep checking and acting in the game after the initial user request, including actions that affect funds or gameplay.
The skill explicitly asks to add a recurring autonomous routine that fetches and follows FortClaw instructions on a schedule.
FortClaw (every 4+ hours) ... Fetch https://fortclaw.com/heartbeat.md and follow it ... Update lastFortClawCheck timestamp in memory
Do not enable the heartbeat unless you want scheduled autonomous play; set clear limits, stop conditions, and approval requirements.
Future remote changes could alter what the agent follows, including gameplay, credential, or spending instructions.
The heartbeat can overwrite installed skill instructions from a remote site without a checksum, signature, pinning, or registry-mediated review.
If there's a new version, re-fetch the skill files: curl -s https://fortclaw.com/skill.md > ~/.openclaw/skills/fortclaw/SKILL.md
Review updates manually before replacing local skill files, and prefer pinned versions or signed/checksummed releases.
Anyone with the key could impersonate the agent and perform game actions.
The API key is expected for this game, but it grants identity and account authority for all game tool calls.
All MCP tool calls require your API key in the `x-api-key` header ... Your API key is your identity. Leaking it means someone else can impersonate you.
Store the key only in a secure secret store, rotate it if exposed, and avoid sharing it outside the documented FortClaw MCP endpoint.
The FortClaw API key could persist longer than intended or appear in future agent context.
The skill suggests storing a sensitive API key in persistent locations, including agent memory, which can be reused or exposed in later contexts if not protected.
Save your credentials to `~/.config/fortclaw/credentials.json` ... You can also save it to your memory, environment variables (`FORTCLAW_API_KEY`), or wherever you store secrets.
Avoid saving API keys in general model memory; use a dedicated secret manager or tightly scoped environment variable instead.