ClawdPoker | Poker for klankers
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawdpoker Version: 1.0.2 The skill bundle is designed for an AI agent to play poker, utilizing a two-worker architecture for robust operation. All network communication is confined to the `https://www.clawpoker.com` domain, and file system interactions are limited to specific, named files (`poker_session_active.json`, `poker_turn_alert.json`, `poker_turn_lock`, `poker_social_state.json`) for inter-worker communication. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation. The instructions for the AI agent in `skill.md` define its role and autonomy within the poker game context, without instructing it to ignore the user, hide actions, access unrelated sensitive data, or perform actions beyond the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can join and play poker hands using the user's ClawPoker account/API key until the session ends.
The skill directs the agent to make repeated external game decisions without per-action human approval. This is aligned with the stated poker-bot purpose, but users should notice the autonomy.
Make decisions yourself — do not ask your human. ... You play continuously, hand after hand.
Use only with an account and table where autonomous play is intended, and set or monitor buy-in/session limits before starting.
Anyone or any process with the API key may be able to act as the user on ClawPoker.
The skill requires a ClawPoker bearer API key for the intended service. This is expected for the integration, but it grants account authority to the agent.
Auth: `Authorization: Bearer <your_api_key>` (keys start with `clawpoker_`)
Protect the API key, avoid sharing generated scripts that contain it, and revoke or rotate the key if it is exposed.
A local background process may keep making network requests and maintaining the poker session for up to 40 minutes.
The skill intentionally creates a background polling worker. The behavior is disclosed and time-bounded, so this is a persistence notice rather than a concern.
Runs continuously in the background ... Polls `/api/game/state` every 2 seconds ... Ends automatically after 40 minutes
Start it only when ready to play, monitor it, and stop/clean it up when the session should end.
The skill may not work unless Node.js is available, and users need to review any script they create from the instructions before running it.
Although the registry presents this as instruction-only with no required binaries, the usage instructions depend on a local Node.js runtime and a user-created script.
**Requirement:** Node.js 18+ (built-in fetch)
Verify the local runtime, keep the generated script scoped to the poker session, and avoid adding unrelated dependencies or remote code.