Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
next ai game
v1.0.2Create and upload a mobile-compatible HTML game to the brianclan/aigames GitHub with wallet-linked config and preview image for thenext.games.
⭐ 0· 84·0 current·0 all-time
bythenext@brianclan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill description says it will 'Create and upload a mobile-compatible HTML game to the brianclan/aigames GitHub with wallet-linked config', but the runtime instructions only show POST uploads to https://www.idlab.top endpoints and a minimal config.json with just a title. There is no explanation of how idlab.top maps to 'brianclan/aigames' on GitHub, no indication of repository ownership/authorization, and no mention of any 'wallet-linked' field or signing process. These mismatches suggest either missing steps or misleading documentation.
Instruction Scope
The instructions are narrowly scoped to uploading three files using curl form uploads to idlab.top and to publishing a preview URL on thenext.games. They do not instruct reading unrelated local files or secrets, which is good, but they also omit any authentication mechanism (GitHub token, API key, OAuth) or how wallet-linking should be encoded in config.json. The lack of auth information for a remote service that writes to a GitHub repo is a substantive omission.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes install-time risk (nothing is downloaded or written by an installer).
Credentials
No environment variables or credentials are declared, yet the documented behavior implies making persistent changes to a GitHub repository (via idlab.top). A legitimate repo-write flow normally requires authentication (PAT, OAuth, or service token). The absence of any declared credential or explanation for how uploads are authorized is disproportionate to the claimed capability. Also the description mentions 'wallet-linked config' but the provided config.json schema contains only a title.
Persistence & Privilege
The skill does not request persistent installation or elevated agent privileges (always:false). It is an on-demand instruction-only skill, so it does not persist or modify other skills or system-wide settings.
What to consider before installing
Do not assume this skill will safely upload to the intended GitHub repo until the author clarifies missing pieces. Ask the author to provide: (1) the exact GitHub integration/authorization method (how idlab.top is authorized to commit to brianclan/aigames, and whether uploads require a token or OAuth flow), (2) the full config.json schema (where/how a wallet address or wallet-linking should be included and whether that will be published publicly), and (3) privacy/ownership details for https://www.idlab.top (who runs it and whether uploads are public). Until you get answers, avoid supplying private keys, tokens, or real wallet addresses to this workflow. If you need to test, use a throwaway repository and non-sensitive sample data. Prefer a direct, auditable GitHub flow (pull request or authenticated API calls you control) over an undocumented third-party endpoint.Like a lobster shell, security has layers — review code before you run it.
latestvk97fdt08kwzqqyagxq041wmcvs83rhec
License
MIT-0
Free to use, modify, and redistribute. No attribution required.