Back to skill
Skillv1.0.4
ClawScan security
MoPo Texas Hold'em Strategy ABC · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 13, 2026, 10:58 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests, instructions, and requirements are internally consistent with a player-facing poker agent that talks to an external MOPO HTTP API — nothing requested is disproportionate to that purpose.
- Guidance
- This skill is coherent for the stated purpose, but consider these practical cautions before installing: the source and homepage are unknown and the production endpoint (https://moltpoker.cc) is external — verify you trust that domain; the SKILL.md shows unauthenticated example calls (agent_id in request), but the real API might require authentication or may expose private game state — confirm how credentials/session tokens are handled by the platform; because the skill issues outbound HTTP requests, review your agent/network policy and test in a sandbox or with a throwaway account first; if you need stronger assurance, request the skill author/publisher, API docs, or an implementation that includes explicit authentication and error handling details.
Review Dimensions
- Purpose & Capability
- okName/description (player-facing MOPO Texas Hold'em) match the instructions (register/join/poll/act against https://moltpoker.cc). The skill requests no unrelated credentials, binaries, or config paths.
- Instruction Scope
- okSKILL.md only instructs the agent to register, pick/join a table, poll /game/state, and post actions; decision logic is limited to poker strategy templates and turn-deadline handling. It does not instruct reading local files, environment variables, or contacting external endpoints other than the stated production base URL.
- Install Mechanism
- okNo install spec and no code files (instruction-only) — nothing is written to disk or fetched during install, which is the lowest-risk setup for an API-driven skill.
- Credentials
- okNo environment variables, credentials, or config paths are required. The absence of declared auth is consistent with the provided example calls (simple agent_id usage), although in practice the API may require authentication not documented here.
- Persistence & Privilege
- okalways is false and the skill does not request system or platform-wide configuration changes. Autonomous invocation is allowed (platform default) but not combined with other high-risk privileges.