Gamification & XP System
WarnAudited by ClawScan on May 10, 2026.
Overview
The gamification purpose is plausible, but the skill asks for a powerful Supabase service key and documents data-changing API calls without clear credential, authorization, or user-scope boundaries.
Install only if you control and trust the ClawdBot API server and Supabase project. Prefer a dedicated Supabase project or least-privilege credential, do not expose a service role key to the agent/client, verify API authentication and per-user authorization, and avoid storing sensitive task or habit details until the backend implementation is reviewed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured unsafely, the skill or its backend could have broad read/write access to the connected Supabase project, not just a user's XP records.
A Supabase service role key is a privileged database credential. The artifacts do not clearly limit which tables or operations it can access, and the registry metadata does not surface this credential requirement.
env:\n - name: SUPABASE_SERVICE_KEY\n description: Supabase service role key for database access\n required: true
Use a dedicated least-privilege credential or server-side-only service key, declare the credential requirement in metadata, restrict access to only the gamification tables, and document key storage and rotation.
A misconfigured or over-authorized agent/API client could incorrectly award XP, badges, or leaderboard progress for the wrong user or in the wrong amount.
The skill documents direct API operations that mutate XP, badges, habits, tasks, and goals using caller-supplied identifiers and amounts, but does not describe authentication, authorization, validation, confirmation, or rollback.
### Award XP (Internal)\nPOST /api/gamification/award\n{\n "userId": "302137836",\n "amount": 50,\n "source": "habit"\n}Keep internal mutation endpoints inaccessible to the agent unless explicitly needed, require server-side authorization and validation, add audit logs and rollback, and ask for user confirmation before making account-changing updates.
Productivity-related data such as habits, tasks, goals, streaks, and leaderboard information may be sent to and stored by external services.
The skill clearly discloses that user gamification data flows through ClawdBot infrastructure into Supabase, but the artifacts do not provide detailed identity, privacy, or data-boundary controls.
User → ClawdBot Gateway → ClawdBot API Server → Supabase (Postgres)
Review the ClawdBot API server and Supabase project privacy/authentication settings before connecting sensitive productivity data.
The registry package alone does not show whether the backend enforces the security checks needed for the documented API operations.
Those backend files are referenced but not included in the supplied artifact set, so this review cannot verify the implementation that handles validation, authorization, and credential use.
The backend implementation lives in `api-server/src/routes/gamification.ts` and `api-server/src/lib/xp-engine.ts`.
Review the backend source, deployment configuration, and API authentication controls before trusting the skill with database credentials or persistent user data.