ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lifepath: AI Life Simulator

v2.0.0

AI Life Simulator - Experience infinite lives year by year. Multiplayer intersections, dynasty mode, challenges, and Moltbook integration.

0· 2.1k·0 current·0 all-time
by@ezbreadsniper
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code (server, life simulation, Moltbook integration, Telegram bot, image generation) is consistent with the stated simulator/multiplayer purpose. Required binaries (node, npm, psql) and DATABASE_URL/GEMINI_API_KEY are reasonable. Minor mismatch: package.json includes the 'openai' package but code uses GoogleGenerativeAI; this is plausibly harmless but indicates sloppy dependencies.
Instruction Scope
SKILL.md instructions (npm install, init-db, start server, copy .env) are within expected scope. However multiplayer intersection code returns other users' telegram and Moltbook usernames (potential PII) and Moltbook sharing posts data to external APIs — both are expected for the feature but worth noting as privacy surface. SKILL.md does not document a GEMINI_API_KEY_BACKUP but the code references it.
Install Mechanism
There is no automatic installer or arbitrary download; the package is instruction-only (npm install, run scripts). This is lower risk than a remote download/extract install. The included deploy/publish scripts are typical and only call local tools.
!
Credentials
Declared required envs (GEMINI_API_KEY, DATABASE_URL) align with functionality, and optional envs (TELEGRAM_BOT_TOKEN, BANANA_API_KEY, MOLTBOOK_API_KEY, BANKR_WALLET_ADDRESS) make sense. But the code also uses GEMINI_API_KEY_BACKUP (not declared) and — importantly — embeds two hard-coded API keys in src/services/storyGenerator.js (strings starting with 'AIzaSy...'). Hard-coded keys in source are unexpected, risky, and disproportionate. Rotating through hard-coded keys and backup key behavior is suspicious from a least-privilege perspective and indicates leaked or unmanaged credentials.
Persistence & Privilege
The skill does not request always:true or platform-wide privileges. It does run as a networked server and will autonomously accept requests if deployed, which matches its purpose. It does not attempt to modify other skills or global agent settings.
Scan Findings in Context
[hardcoded-api-key-in-source] unexpected: src/services/storyGenerator.js contains two apparent Google API keys embedded as string literals ('AIzaSyCaM-...' and 'AIzaSyAEwv...'). Embedding API keys in source is not expected or justified by the manifest and is a security risk (leaked keys).
[undeclared-backup-key-usage] unexpected: The code rotates through this.apiKeys which includes process.env.GEMINI_API_KEY_BACKUP but SKILL.md does not declare GEMINI_API_KEY_BACKUP as a required or optional environment variable. The use of an undeclared backup key is an inconsistency.
[exposed-user-identifiers-in-queries] expected: IntersectionService queries return other users' telegram_username and moltbook_username to enable multiplayer intersections. This is functionally expected for shared-world features but expands privacy surface and should be disclosed to users.
[missing-fastify-postgres-registration] unexpected: server.js constructs new LifeService(fastify.pg) but does not register @fastify/postgres plugin before that. This looks like a functional bug (db client may be undefined) rather than malicious, but it shows sloppy wiring and reduces confidence in the package's correctness.
What to consider before installing
This package appears to implement the advertised AI life-simulator, but there are red flags you should address before installing or running it: - Hard-coded API keys in source: src/services/storyGenerator.js contains apparent Google API keys. If those are valid, they represent leaked credentials in the repo. Ask the maintainer to remove keys and rotate them immediately. Do not rely on these embedded keys. - Undeclared backup key: the code reads GEMINI_API_KEY_BACKUP (not listed in SKILL.md). Confirm which keys the service needs and provide only scoped keys. - Privacy surface: multiplayer intersection endpoints return other users' telegram and Moltbook usernames; enabling shared worlds can expose PII. Only enable shared_world features if you trust other participants and the deployment environment. - Run in isolation: run this service in an isolated environment (test VM or container) with a throwaway DB and rotated API keys. Review and remove any hard-coded secrets before deploying to production. - Code hygiene and tests: server.js appears to assume fastify.pg is present but does not register the plugin; verify and test the service end-to-end before trusting it. - Request provenance: the package homepage is listed, but confirm maintainers and whether the embedded keys are intentional. If you cannot get satisfactory answers about the hard-coded keys and backup key usage, treat the package as unsafe to run on privileged systems. If you want, I can: (1) extract the exact locations of the hard-coded keys and show the lines, (2) produce a checklist of changes to request from the maintainer, or (3) suggest a minimal safe deployment workflow (container + network restrictions + secrets injection).

Like a lobster shell, security has layers — review code before you run it.

Lifepath life-simulator moltbook ai-narrative game story-generatorvk97cbgby2tzxefkh6g6cqz7zsx808w78latestvk97cbgby2tzxefkh6g6cqz7zsx808w78

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments