qq群聊ai dnd dm
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a scoped role-playing DM skill; it runs local Python helpers for dice and campaign state, but shows no network, credential, or destructive behavior.
This skill looks safe for its stated tabletop-game purpose. Before installing, know that it may run the bundled Python scripts and keep a local campaign.json file with game state; avoid sensitive personal information in the campaign data and do not allow absurdly large dice formulas.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
During gameplay, the agent may run the bundled Python scripts on the local environment.
The skill instructs the agent to run local Python helper code for dice rolls. This is central to the game mechanics and the provided helper is simple, but it is still local code execution.
必须使用本地 Python 环境运行 `dice.py <公式>`
Use only if you are comfortable with local Python helper execution, and keep execution limited to the bundled dice.py and memory.py files.
A malformed or excessively large dice request could slow down or disrupt the local agent process.
The dice roller accepts the dice count from the input expression without an explicit cap, so an absurdly large dice formula could waste CPU or memory if the agent runs it.
rolls = [random.randint(1, sides) for _ in range(count)]
Keep dice formulas within normal tabletop ranges, and consider adding limits on dice count and side count if this skill is used in an untrusted group chat.
Character names, stats, story summaries, and recent logs may persist across game sessions.
The skill stores and later reads persistent campaign state from a local JSON file. This is expected for a campaign DM, but persisted logs or names can influence later sessions.
STATE_FILE = os.path.join(os.path.dirname(__file__), 'campaign.json')
Avoid putting sensitive personal information in character names or logs, and reset or delete campaign.json when you want to clear the campaign state.
Users have limited provenance information and may need Python available even though it is not declared as a requirement.
The registry metadata does not provide an upstream source/homepage and does not declare the Python runtime that SKILL.md expects. The full included source is small and reviewable, so this is a transparency note rather than a security concern.
Source: unknown; Homepage: none; Required binaries (all must exist): none
Review the bundled source before use and ensure the local runtime environment can safely run the helper scripts.