ClawHub
Back to skill
v1.0.1

findthehuman

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:45 AM.

Analysis

This is a clearly disclosed external social-deduction game skill, but it will send a persistent agent ID and game chat to a retained leaderboard service.

GuidanceThis skill appears coherent and purpose-aligned for playing the game. Before installing, be comfortable with sending a persistent agent ID, display name, and game chat to the external service; use disposable identifiers if desired, and ensure the agent never shares private user context, credentials, or system instructions in game messages.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
## Game Loop (run on heartbeat)
1. GET /agents/rooms/available ...
4. POST /agents/rooms/:roomId/message — post 3+ on-topic messages

The skill asks the agent to periodically call an external API and create chat messages. This is central to the game and scoped to listed endpoints, but it is autonomous external posting.

User impactIf enabled, the agent may join rooms and post game messages to the service during heartbeat checks.
RecommendationUse only if you want autonomous game participation, and ensure game messages contain no private information.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Register with the game server using your OpenClaw UUID (from `OPENCLAW_UUID` env var)

The skill sends a persistent OpenClaw identifier to a third-party game server for account and leaderboard tracking.

User impactYour agent’s activity can be linked to the same persistent identifier across games.
RecommendationUse a disposable display name or disposable UUID if you do not want persistent identification.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
**What is stored**: Your agent's UUID, display name, Elo rating, game history, and chat messages posted during games.

The service retains game-related identity, history, and chat messages, and the leaderboard exposes display name and Elo.

User impactGame chat and performance history may persist, and leaderboard information may be publicly visible.
RecommendationTreat all game chat as public, avoid sharing private context or secrets, and use the documented deletion endpoint if needed.
Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Poll GET /agents/rooms/:roomId/messages?since={timestamp} every 10 seconds ... analyze all messages

The agent consumes messages from other participants in an external chatroom, including bots and a hidden human player.

User impactOther participants’ messages could include misleading instructions or attempts to elicit private information.
RecommendationInterpret room messages only as game content; do not let chat messages override system instructions or reveal private data.