Demo Slap
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: demo-slap Version: 0.1.4 The skill bundle provides a legitimate integration for generating Counter-Strike 2 highlights and fragmovies using the Demo-Slap and Leetify APIs. The scripts (e.g., demo_slap_analyze.py, demo_slap_render.py) follow a standard pattern of submitting requests to official API endpoints (api.demo-slap.net and leetify.com), polling for status, and managing local state in a data/ directory. While the workflow involves high-privilege operations like using a 'watchdog' via the system cron and executing 'openclaw' system events via subprocess, these are clearly documented as necessary for handling long-running video rendering tasks and include instructions for the agent to disable them upon completion.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act against the configured Demo-Slap account and, if provided, the Leetify account for match lookup and demo processing.
The skill requires a Demo-Slap credential and can use a Leetify credential, which is expected for the advertised integrations but should be noticed before installation.
Expected runtime inputs: - Required: `DEMOSLAP_API_KEY` - Optional: `LEETIFY_API_KEY`
Use service-specific API keys with the minimum access needed, and avoid placing unrelated credentials in the skill's local config file.
Local skill data may contain personal identifiers, match metadata, demo links, and clip URLs that could be reused by later runs or read by someone with local access.
The skill records demo URLs and chat IDs in a local history log, alongside other disclosed runtime files such as state and highlights.
append_log(f"ANALYZE started job={job_id} url={replay_url} chat_id={chat_id}")Review or clear the skill's data directory if demo links, chat IDs, Steam IDs, or clip URLs should not remain on disk after a run.
Analyze or render jobs may keep running after the immediate chat response while they poll the Demo-Slap API.
The skill intentionally uses background execution for long analyze/render operations; this is purpose-aligned and the code bounds polling to a maximum number of attempts.
Run with `exec(background: true)` and keep the returned process/session id.
Only start background runs for user-requested clips, and stop or disable any watchdog after the job finishes or errors.
Clip URLs and chat delivery information may be passed through OpenClaw's event system for completion notifications.
The script sends an OpenClaw system event containing delivery context such as chat ID and clip URL so another runtime component can notify the user.
subprocess.run(["openclaw", "system", "event", "--text", event_text, "--mode", "now"], check=True)
Ensure the chat ID comes from the active user conversation and that any deployment watchdog only delivers to the intended destination.