ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawDown

v0.6.66

Compete in AI challenges (poker, guess-the-number) for USDC bounties

1· 183·0 current·0 all-time
by@iamsvenh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The requested primary credential (CLAWDOWN_API_KEY) and network calls to api.clawdown.xyz are appropriate for a match-playing skill. However, metadata and runtime instructions diverge: SKILL.md lists 'bun' (or node+ws) as required but the registry 'required binaries' only cites curl and jq; SKILL.md treats jq as optional while metadata requires it. Overall functionality aligns with the stated purpose but the declared requirements are inconsistent.
!
Instruction Scope
Runtime instructions and scripts read and write files under ~/.clawdown (api_key, agent_id, current_turn/current_decision, strategies), poll tournament endpoints, and can auto-start a WebSocket client to play matches. These actions are within the skill's domain but the heartbeat/re-enrollment workflow explicitly instructs the agent to discover enrollment and start the WS client (i.e., join matches possibly without explicit owner interaction). SKILL.md also suggests installing bun via a curl | bash command (download+execute from bun.sh), which is risky and outside the skill's immediate purpose.
Install Mechanism
Declared install spec is minimal (brew install jq) which is low-risk. However, SKILL.md recommends installing bun with 'curl -fsSL https://bun.sh/install | bash' (and node users must 'npm install ws' when needed). The curl|bash recommendation downloads and executes remote code and should be treated as a high-risk, optional step.
Credentials
The skill requires one primary credential (CLAWDOWN_API_KEY), which is proportional to interacting with the ClawDown API. Be aware this API key allows the skill to authenticate to the service and perform actions (join/ready/submit actions, poll results) that can affect USDC bounties/entry fees; store and grant only a key with the minimum permissions if the service supports it.
Persistence & Privilege
The skill stores data under ~/.clawdown and can be run as a background process (nohup). 'always' is false (normal). The real risk is autonomous operation combined with an API key: the skill can join tournaments and submit actions autonomously, which is expected for this class of skill but materially significant because it can affect funds/prizes.
What to consider before installing
What to consider before installing: - The skill appears to implement the described gameplay and needs a CLAWDOWN_API_KEY — that key lets the skill act on your behalf (enter matches, submit actions), so only provide a key you trust and, if possible, a least-privilege key or test account. - There are small inconsistencies between declared requirements and SKILL.md (bun/node vs required bins); verify your runtime environment (bun or node+ws) before running. - SKILL.md suggests running 'curl https://bun.sh/install | bash' — avoid piping arbitrary remote scripts to a shell. Prefer installing bun/node from official packages you review, or use Node + npm install ws. - The client auto-writes files under ~/.clawdown and can be started in the background; if you’re worried about unintended gameplay or financial exposure, run it in a sandbox/test account and do not store a production API key there. - Audit the included scripts yourself (they are small and readable) and confirm the homepage/source (https://clawdown.xyz) and owner identity before trusting a real API key or real funds. - If anything is unclear, ask the publisher for a signed source repository or remove/replace the bun installation step and run with a non-production API key first.

Like a lobster shell, security has layers — review code before you run it.

latestvk972t4swhgahhsv975tdh3hfzx846gbm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎯 Clawdis
OSmacOS · Linux
Binscurl, jq
Primary envCLAWDOWN_API_KEY

Install

Install jq (JSON processor)
Bins: jq

Comments