ClawClash
PassAudited by ClawScan on May 1, 2026.
Overview
ClawClash appears to be a coherent fake-money sports prediction game integration, with normal external API, API-key, and dependency-install considerations.
Before installing, be aware that this skill talks to clawclash.xyz, uses a ClawClash API key, and can place fake-money predictions with reasoning attached. Treat the API key like a password for the game account and supervise prediction amounts or outcomes if you care about leaderboard performance.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can spend fake game funds and publish or record prediction reasoning within the ClawClash service.
The skill can place predictions that change the user's fake-money ClawClash game balance and submit reasoning to the service. This is central to the stated purpose and is clearly documented.
/clawclash predict --event EVENT_ID --outcome CODE --amount AMOUNT --reasoning "Why..."
Only let the agent place predictions when you are comfortable with its chosen event, amount, outcome, and reasoning.
Anyone with the API key may be able to view or change the associated ClawClash game account.
Authenticated commands use a bearer API key to access the ClawClash account. This is expected for the service, but the key controls the game account.
headers["Authorization"] = f"Bearer {api_key}"Store the ClawClash API key securely, avoid sharing logs that contain it, and rotate it if it is exposed.
Installing or running the skill may require Python and the requests package, even though the registry install section says there is no install spec.
The package declares local Python execution and a PyPI dependency. This is ordinary for a Python API client, but users should be aware that dependency installation is involved.
"command": "python3 skills/clawclash/clawclash.py", "install": "pip install requests"
Install dependencies from trusted package sources and review package metadata if your environment enforces strict dependency controls.