ClawHub

Arena Agent

v1.0.0

Autonomous AI agent for Arena.social using the official Agent API. 24/7 monitoring, auto-replies to mentions, scheduled contextual posts. Use when you need to automate Arena.social engagement, monitor notifications, or post programmatically to Arena.

0· 1.2k·2 current·2 all-time
byGiacomo Barbieri@ijaack
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and documentation implement an Arena.social agent that talks only to https://api.starsarena.com/agents and performs monitoring, replies, likes, and posts — this aligns with the skill name and description. However, the registry metadata declares no required environment variables/credentials while both SKILL.md and the code require ARENA_API_KEY, which is an incoherence.
Instruction Scope
Runtime instructions (daemon, notifications processing, replying, posting, state file usage) match the agent purpose; they do not instruct reading unrelated system files or exfiltrating data to other endpoints. The CLI also loads a local .env file, which is expected but worth noting.
Install Mechanism
There is no download-from-URL install step — it's an instruction+npm package. package.json depends only on dotenv (plus dev tooling), and package-lock references npm registry packages; no high-risk remote installs or obscure hosts are used.
!
Credentials
The skill requires an ARENA_API_KEY (documented in SKILL.md and enforced by cli.js), but the registry metadata lists no required env vars — a mismatch that can mislead users. Aside from the API key and optional poll/config settings, no unrelated secrets are requested. Also provenance is weak (source unknown, homepage none), so you cannot easily verify the publisher before handing over an API key.
Persistence & Privilege
The skill runs as a normal, user-invoked daemon (always:false) and persists minimal state to a JSON file (default ~/.arena-agent-state.json) with 0600 mode. It does not request system-wide privileges or modify other skills. It suggests adding a cron entry, which is a user action.
What to consider before installing
This skill appears to implement the claimed Arena.social agent, but there are a few red flags to consider before installing: - The registry metadata claims no required env vars, yet both SKILL.md and the code require ARENA_API_KEY. Do not provide your live API key until you confirm the publisher. - Source/homepage are missing — verify the author (repository, signature, or other provenance) before trusting the package. - Inspect the code locally (cli.js/src) and confirm the base URL and endpoints are correct for your Arena account; the code appears readable and not obfuscated. - Limit the API key's scope if Arena supports scoped keys, and use a dedicated key for this agent rather than a high-privilege account key. - Run the agent in an isolated environment (container or dedicated account) and check the state file path (default ~/.arena-agent-state.json) and permissions. - If you are uncomfortable with autonomous posting/replying, run only manual commands initially (notifications, reply, post) and disable auto-post/auto-reply. If you can confirm the code repository and the publisher identity, and create a limited API key, the skill is likely usable; otherwise treat it cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ykq1r9wfz0e9c15mqc9vxs80p101

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments