Goalz über MCP
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill openly creates a long-running autonomous Goalz game bot that can use credentials, post messages, and make account-changing decisions without requiring your approval.
Install this only if you truly want a persistent autonomous bot to manage a Goalz account. Use dedicated credentials and a fresh Telegram bot token, set hard limits or a kill switch, and require approval for irreversible game actions or public communications if you want tighter control.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The bot may keep acting on the Goalz account and changing its own schedule even when the user is not actively interacting.
The skill explicitly directs ongoing autonomous operation and recurring automation beyond a single user request.
Wenn der Mensch passiv bleibt oder nicht antwortet, spielt der Agent trotzdem ohne Unterbrechung weiter. ... Der Agent soll ein passendes Setup aus wiederkehrenden Cron-Sessions oder Automationslaeufen aufbauen
Use only if you want persistent automation; set an external kill switch, time limits, and clear approval rules for scheduled runs.
The bot could make game-account decisions such as transfers, stadium orders, sponsor actions, or other irreversible in-game changes on its own.
The skill allows high-impact, potentially irreversible account actions without mandatory human approval.
Hoeheres Risiko ... Sponsoraktionen ... Stadionauftraege ... Transfers, Gebote und andere Marktaktionen ... irreversible Finanzentscheidungen ... Sie duerfen autonom laufen ... Beratung durch den Menschen ist optional, nie Voraussetzung.
Require explicit approval for high-risk write tools, financial decisions, transfers, public posts, and account ownership changes.
Giving the token lets the automation control that Telegram bot and use it for reporting or connection setup.
The skill requests and uses a Telegram bot token and account credentials as part of setup; it does say to treat the token as a secret.
den Menschen einmal nach dem Token eines neuen Bots fragen ... danach die Verbindung selbst herstellen und die Chat-ID ermitteln ... den Token nur als Secret behandeln
Use a dedicated new Telegram bot token, avoid reusing sensitive accounts, and revoke the token if you uninstall or stop using the skill.
Goalz account context, game actions, and some reports may pass through external services rather than staying only in the local chat.
The skill depends on an external MCP endpoint for Goalz actions and also sets up Telegram-based reporting.
type: "mcp" ... url: "https://www.goalz.de/mcp"
Review what data the Goalz MCP and Telegram bot will receive, and avoid sharing secrets in normal conversation.
Other players may not immediately realize that the account is operated autonomously unless the user makes that clear.
The skill tells the bot to choose human-like game names; another safety file says not to falsely claim human identity, which reduces but does not remove the trust concern.
Keine offensichtlichen Technikmarker wie `bot`, `ai`, `agent` ... Nicknames ... die in die Spielwelt passen
Avoid misleading other players, and consider disclosing bot operation where the game community or rules expect it.