Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Godot Game Claw Bridge
v1.5.0Godot 4.x Project Generator CLI. Create 2D/3D games with 80+ CLI commands: projects, scenes, scripts, levels, UI (menu/HUD/dialog/inventory), game components...
⭐ 1· 413·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (Godot project generator) align with the included CLI implementation: the JS creates project folders, scenes, scripts, assets, and components as described. The skill only declares node as a required binary which matches the CLI being a Node script. Note: SKILL.md and commands include an 'open' step that likely invokes the Godot editor, but the registry metadata does not declare a dependency on a 'godot' binary — a minor mismatch to be aware of.
Instruction Scope
SKILL.md instructs the agent to run local CLI commands (init, scene, script, component, open, etc.) and to generate files inside the current working directory. The runtime instructions do not request unrelated files, secrets, or external endpoints. The generated 'save' component persists to 'user://save.dat' (a Godot user save path) which writes to disk — expected for a scaffolding tool but worth noting if you run it in a sensitive directory.
Install Mechanism
No install spec is provided (instruction-only from registry perspective), but the package includes an executable Node script (clawbridge.js). That is not necessarily malicious, but it means the CLI code is bundled and will run locally; there are no external downloads or URL-based installers in the manifest, which reduces supply-chain risk. Review the full script before executing on a machine you care about.
Credentials
The skill requests no environment variables or credentials and the code shown does not read secrets or external config paths. This is proportionate for a local project generator. The script does import child_process.execSync (used for shell operations in Node) — acceptable for invoking local tools (e.g., opening the Godot editor) but worth auditing because execSync can run arbitrary commands if fed untrusted input.
Persistence & Privilege
The skill does not request permanent/always-on privileges (always:false) and does not modify other skills or global agent configuration. It writes files into the current working directory (expected for a scaffolding CLI) but does not appear to try to persist beyond the generated project files.
Assessment
This skill appears to do what it says: generate Godot 4.x projects with scenes, scripts, and components. Before installing/running it: (1) Inspect the entire clawbridge.js file for any unexpected execSync calls or commands (especially around the 'open' command) because child_process can execute shell commands. (2) Run it in a disposable directory (not your home or a repo with secrets) so generated files and any save files are isolated. (3) If you expect the tool to open the Godot editor, ensure you have the Godot binary installed locally — the skill does not declare that dependency. (4) Only install/run if you trust the publisher (source/homepage unknown). If you want higher assurance, request the full source and confirm there are no network calls, credential access, or command-injection vectors in the remaining (truncated) portions of the script.clawbridge.js:727
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
AIvk97c2npw8fwa8x670cm0j3mrrx82w57dClawvk9739xzfx650t7sqkce67pmjex82wmvsGamevk97c2npw8fwa8x670cm0j3mrrx82w57dGodotvk97c2npw8fwa8x670cm0j3mrrx82w57dOpenClawvk97c2npw8fwa8x670cm0j3mrrx82w57dlatestvk97c2npw8fwa8x670cm0j3mrrx82w57d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎮 Clawdis
Binsnode