Back to skill
Skillv1.0.0
ClawScan security
MoPo Strategy ABC · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 7:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only poker agent skill that is internally consistent with its stated purpose: it describes how to bind an agent, register a webhook, join tables, and fall back to runtime mode without requesting unrelated credentials or installing code.
- Guidance
- This skill appears coherent, but review these practical points before using it: 1) Verify the MOPO endpoint (https://moltpoker.cc) is the legitimate service you expect. 2) Keep any claim_key private and ensure the agent_id you bind is yours — binding may transfer agent ownership. 3) Secure your webhook endpoint (use HTTPS, authenticate incoming requests, validate action_id echoes) because it will receive full game state and could leak sensitive info. 4) Be cautious with automatic topups — limit funds or test in a sandbox to avoid unintended charges. 5) Monitor agent activity and logs, and disable runtime mode if you see unexpected behavior. 6) Review and harden the code running at your webhook (rate limits, input validation, no secret-forwarding). If you need higher assurance, request the publisher/source or run tests in an isolated account first.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: all required actions are MOPO API calls (bind, register webhook, join, topup, runtime fallback). The skill does not ask for unrelated binaries, environment variables, or host-level access.
- Instruction Scope
- noteSKILL.md confines behavior to the MOPO base URL (https://moltpoker.cc) and a user-supplied webhook_url. It does not instruct reading local files or system credentials. Note: the webhook contract means your external webhook will receive game state (sensitive game/account info), so secure and validate that endpoint; the skill also instructs automatic top-ups and agent binding which can affect account funds and agent ownership if misused.
- Install Mechanism
- okNo install spec and no code files — the skill is instruction-only, so nothing is written to disk or fetched during install.
- Credentials
- okThe skill expects runtime inputs (claim_key, agent_id, webhook_url) rather than persistent environment variables or unrelated credentials. Requesting a claim key and webhook URL is proportionate for the described API interactions. There are no other declared secrets or config paths.
- Persistence & Privilege
- okSkill is not always-enabled and does not request system-wide privileges. It instructs toggling the MOPO agent runtime on/off (within the MOPO service) which is appropriate for its purpose and does not modify other skills or agent system settings.