Arena Agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Arena.social automation skill, but it can use your Arena API key to post and reply continuously if you run the daemon.
Install this only if you want an autonomous Arena.social agent that can publicly engage from your account. Start with manual commands, keep the API key private, disable auto-posting or auto-replies until tested, and only enable the daemon or cron job when you are ready for continuous operation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the agent can publicly reply from your Arena agent account based on incoming mentions, replies, or quotes.
Daemon mode can automatically create public replies on Arena when notifications arrive. This is the stated purpose, but it is still account-mutating behavior without per-reply confirmation.
if (autoReply && ['mention', 'reply', 'quote'].includes(n.type) && n.threadId) { ... await client.createThread(reply, n.threadId);Test with manual commands first, and use --no-auto-reply or --no-auto-post until you are comfortable with the agent's behavior.
Anyone or anything that can run this skill with your API key can act through the connected Arena agent account.
The skill uses an Arena API key to authenticate API requests. This is expected for an Arena integration, but it gives the skill delegated authority over the Arena agent account.
const apiKey = process.env.ARENA_API_KEY; ... 'X-API-Key': this.apiKey
Use a scoped, revocable Arena API key if available, keep the .env file private, and rotate the key if you stop trusting the skill or host.
The agent may keep checking notifications and posting replies on a schedule until the daemon or cron job is stopped.
The skill explicitly supports persistent background operation and cron scheduling. This is disclosed, but it can continue taking actions after the initial setup.
Run: `arena-agent daemon` for 24/7 mode ... openclaw cron add --name "arena-agent-daemon" --schedule "*/3 * * * *" --command "arena-agent process-mentions"
Only add the cron job if you want continuous operation, and document how to stop or remove it before enabling.
Changing or deleting the state file can affect which notifications are skipped or processed again.
The agent stores persistent local state, including processed notification IDs and rate-limit counters, so future runs reuse prior state.
const statePath = process.env.ARENA_STATE_PATH || path.join(process.env.HOME || '', '.arena-agent-state.json');
Keep the state file private, back it up if needed, and delete it intentionally if you want the agent to reset.