ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Rocom

v1.5.0

Roco Kingdom World offline data tool. Local JSON queries for pets, skills, and items.

1· 152·0 current·0 all-time
byRiv3r@imnotriv3r
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, required binary (node), and the large bundled data/ JSON files are consistent with an offline data lookup tool for game content.
Instruction Scope
SKILL.md instructs running node rocom.mjs against local JSON files and explicitly states 'no network calls'; however, the package includes a runnable code file (rocom.mjs). Because the JS source was not provided in the evaluation excerpt, the runtime behavior of that file (network I/O, spawning subprocesses, reading other paths) cannot be confirmed. That mismatch between the explicit 'no network' claim and the presence of executable code is the primary scope concern.
Install Mechanism
There is no install spec (instruction-only), which is low-risk for installs, but the skill bundles an executable module (rocom.mjs) and large JSON assets that will be executed/parsed by Node when invoked — inspect the bundled code rather than relying solely on the README.
Credentials
The skill requests no environment variables, no credentials, and only requires Node — this is proportionate for a local JSON lookup tool.
Persistence & Privilege
always is false and there are no config paths or claims of modifying agent/system configuration. Autonomous model invocation is allowed but is the normal platform default.
Scan Findings in Context
[unicode-control-chars] unexpected: Control/unicode-injection patterns were detected inside SKILL.md. These can be used to influence prompt parsing or to hide content; they are not expected for a simple offline data tool. Review the SKILL.md and bundled files for obfuscated instructions.
What to consider before installing
This package appears to be an offline Node.js data browser and its file list (many static JSONs) matches that purpose, but because it includes an executable JS file you should not run it blindly. Before installing or running: 1) open and review rocom.mjs for any network calls (http, https, fetch, net, axios, request), child_process usage, or reads/writes to unexpected file paths; 2) search the code for strings like 'fetch', 'http', 'https', 'net', 'dgram', 'child_process', 'exec', 'spawn', or 'require("fs")' reading outside ./data; 3) run it first in a sandboxed environment or with network disabled; 4) check the SKILL.md for hidden/unusual characters (the scanner flagged unicode control chars) and remove them; 5) verify licensing: data claims CC BY-NC-SA which may restrict redistribution. If you cannot inspect the JS file, treat this skill as untrusted and avoid running it with network access or on sensitive hosts.
!
rocom.mjs:29
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

gamevk9763qygxm90jzgy6f7x9xjj9n84366rlatestvk975dvbvgv4xbt5m5zc5kzz4s58481g4roco-kingdomvk9763qygxm90jzgy6f7x9xjj9n84366rrocomvk9763qygxm90jzgy6f7x9xjj9n84366rwikivk9763qygxm90jzgy6f7x9xjj9n84366r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

castle Clawdis
Binsnode

Comments