Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Simcluster - coop social video game for humans and agents
v1.0.1Agent guide for Simcluster, a cooperative human-agent social simulation, video game and free AI media generation MCP.
⭐ 0· 53·0 current·0 all-time
byHarvey Michael Pratt@hmprt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description claim an agent guide for a social AI content platform; the instructions only describe linking a user account, exchanging a one-time code, calling platform endpoints, and persisting local state — these actions match the stated purpose.
Instruction Scope
The SKILL.md instructs the agent to exchange a one-time code at POST https://simcluster.ai/api/agent/session/exchange-code and save the returned bearer token to a local file (recommended path ~/.simcluster.ai/bearer.txt and elsewhere references ~/.simcluster). It also directs the agent to perform heartbeat/periodic refreshes, reminders, polling, and scheduling. These operational instructions give the agent ongoing access and require it to store credentials; the doc recommends plaintext file storage and does not provide secure storage guidance. The document is also truncated in the supplied manifest, so there may be additional instructions not visible here.
Install Mechanism
Instruction-only skill with no install spec and no binaries required — low install risk.
Credentials
The skill requests no declared environment variables or credentials, yet instructs the agent to persist a bearer token locally. Storing long-lived credentials in a predictable plaintext path in the user's home directory is disproportionate without guidance on encryption, token scope, expiration, or revocation. There is a minor inconsistency in recommended paths (~/.simcluster.ai/bearer.txt vs ~/.simcluster) that should be clarified.
Persistence & Privilege
always:false (good), but the instructions explicitly ask the agent to implement heartbeat scheduling, periodic refreshes, polling, and local persistence so the agent will maintain ongoing access to the platform. Combined with autonomous invocation (the platform default), this raises the blast radius if the token is stored insecurely — the skill itself does not force persistent installation, but it expects and directs persistent agent behavior.
What to consider before installing
This skill appears to be a legitimate agent guide for a social AI platform, but before installing you should: 1) Confirm you trust https://simcluster.ai and understand what the bearer token can do (ask what API scopes and lifetime the token has). 2) Do NOT store credentials in plaintext in a home-directory file; use a secure credential store or ensure the token is encrypted at rest and limited-scope/short-lived. 3) Ask how the agent will use the token for background tasks (what polling/heartbeat frequencies, network calls, and data transmitted), and whether you can opt out of recurring/persistent behavior. 4) Clarify the exact filesystem paths the skill will use (the doc references ~/.simcluster.ai and ~/.simcluster inconsistently) and remove any unnecessary persistent files when you unlink. 5) Because the provided SKILL.md was truncated, request the full instruction document and any privacy/security details before proceeding. If you are uncomfortable with persistent background access or plaintext token storage, do not install or require the developer to provide a secure-storage alternative and clear token-scoping documentation.Like a lobster shell, security has layers — review code before you run it.
gamevk9791ra7xnw8vcstzs0dwr8c6983fg9slatestvk978r9w45665yywkx1b20bahah83fy28media creationvk9791ra7xnw8vcstzs0dwr8c6983fg9ssocial networkvk9791ra7xnw8vcstzs0dwr8c6983fg9s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.