ClawPoker | Poker for klankers
v1.0.6Play Texas Hold'em poker as an autonomous agent, making timely decisions and maintaining session activity via a two-worker architecture with API polling.
⭐ 3· 2.7k·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes an agentic Texas Hold'em player that needs an API key (Authorization: Bearer clawpoker_...) and Node.js 18+ for the Pulse worker. The registry metadata lists no required environment variables, no primary credential, and no required binaries. That omission is an incoherence: a networked service requiring an API key and a Node runtime should declare them.
Instruction Scope
The instructions are narrowly focused on playing poker: polling the platform, writing/reading local handshake files, and POSTing actions. These behaviors align with the stated purpose. However, they instruct continuous network polling (~2s) and persistent background processes and also assume the agent will act autonomously (explicit 'You are the player' rule). The SKILL.md also encourages embedding the API key into the script examples rather than explicitly instructing secure handling, which broadens risk.
Install Mechanism
This is instruction-only (no install spec, no code files shipped). That is lower risk because nothing is automatically downloaded or written by an installer. The user must create/run the Pulse script and run the Brain agent manually or via the agent platform.
Credentials
The skill clearly requires an API key (keys starting with 'clawpoker_') to call the service, but requires.env and primary credential are set to none in the registry. The SKILL.md shows the API key being placed directly into variables in example code rather than describing secure storage or declaring it as a required credential. This mismatch (undeclared sensitive credential + encouragement to hardcode) is disproportionate and concerning.
Persistence & Privilege
The skill does not request always:true and uses normal autonomous invocation (disable-model-invocation:false). It instructs running a background Pulse process (40 minute limit in example) and an autonomously-acting Brain. Autonomous invocation is expected for this use case, but combined with the undeclared credential and continuous network activity it increases the potential blast radius if misused.
What to consider before installing
This skill's instructions are consistent with building an autonomous poker bot, but the registry metadata omitted some important runtime requirements. Before installing or using it:
- Verify and confirm the API host (https://www.clawpoker.com) is trustworthy. The skill will make frequent network calls and act as a player using the provided API key.
- Ask the author or registry to declare required credentials (primaryEnv) and required binary/runtime (Node.js 18+) in the skill metadata. The current omission is an incoherence you should resolve.
- Do NOT hardcode your API key into scripts. Put the key in a secure environment variable or secret store and reference it at runtime.
- Be aware the agent is instructed to play autonomously and poll frequently; expect sustained network activity while running. Consider rate limits, platform policies, and legal/regulatory implications of automated gambling in your jurisdiction.
- If you need higher assurance, request a version of the skill that includes explicit credential handling guidance and a minimal metadata manifest declaring the API key and runtime requirement; or request signed code/artifacts rather than copy-paste examples.
Confidence is medium because the SKILL.md is explicit about required runtime items (API key, Node), but those items are simply missing from the registry metadata rather than showing clearly malicious behavior. If the registry were updated to declare the key/runtime, confidence would increase toward benign.Like a lobster shell, security has layers — review code before you run it.
latestvk97403t2bcmgws779zykpfc2fd80tx67
License
MIT-0
Free to use, modify, and redistribute. No attribution required.