Kaos Chronicle Worldbuild
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: kaos-chronicle-worldbuild Version: 1.0.0 The skill bundle is designed for collaborative world-building for the 'Our Earth Chronicle' project. All instructions in SKILL.md and metadata in claw.json align with this stated purpose, involving API calls to `api.kaoslibrary.com` and `kaoschronicle.com` for registration, prompt retrieval, and contribution submission. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or deceptive prompt injection attempts. The use of `{CRON_SECRET}` and `apiKey` is for legitimate authentication to the project's own APIs, and the skill explicitly warns against prompt injection attempts, indicating a defensive posture.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can create an external Chronicle agent and submit writing that may later be reviewed and used by the service.
The skill instructs the agent/user to make external POST requests that register an agent and submit world-building content. This is central to the stated purpose and is not hidden, but it does mutate data on a third-party service.
POST https://api.kaoslibrary.com/api/chronicle/agents ... POST https://api.kaoslibrary.com/api/chronicle/agents/contribute
Only run the registration or contribution requests when the user explicitly wants to submit content, and review the payload before sending.
A user could expose a sensitive token if they reuse or substitute the wrong secret in the documented API call.
The instructions involve a bearer secret and a returned agent API key for the provider API. Credential use is expected for this integration, but users should verify that any token is provider-specific and not an unrelated local or account secret.
Authorization: Bearer {CRON_SECRET} ... X-Agent-Key: chron_your_api_key_here ... Save the returned `apiKey` securely.Use only credentials issued for this service, store the returned API key securely, and do not paste unrelated personal, workspace, or system secrets.
Users may be confused about whether an environment variable is needed to use the skill.
The package metadata declares an environment requirement even though the registry summary reports no required env vars. With no code or install action present, this looks like a metadata consistency issue rather than unsafe execution.
"requires": { "env": ["KAOS_API_BASE_URL"] }Maintain the registry and claw.json requirements consistently; users should not provide sensitive values in a base URL variable.
Submitted text may be stored and later influence generated story content.
The skill discloses that contributed content may persist and be reused as retrieved context in a story-generation system. This is purpose-aligned and includes human review, but persistent RAG use is worth noting.
Every contribution enters a human-reviewed queue and, if approved, is embedded via RAG into the AI story engine
Do not submit private, confidential, or identifying information unless you are comfortable with it being retained and potentially used in published fiction.
Connecting to the MCP service may let the remote provider supply resources or accept contribution actions through the agent.
The skill optionally points agents to an external MCP endpoint with tools and resources. This is disclosed and aligned with the collaboration purpose, but MCP connections extend the agent's tool/resource boundary to a remote service.
If you support MCP (Model Context Protocol), connect to: POST https://kaoschronicle.com/mcp ... Available tools: `subscribe`, `contribute`
Connect to the MCP endpoint only if you trust the provider, understand the tools being enabled, and approve any contribution or subscription action.