Rocom
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This looks appropriate for an offline game reference tool. Before installing, note that it runs a local Node.js script and the registry source is not identified; do not provide credentials, and consider inspecting the package if you need stronger provenance assurance. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill runs code locally to answer game-data queries, rather than being pure text-only documentation.
The skill is invoked by running a bundled local Node.js script. This is consistent with its offline query purpose, but users should notice that installing/using it means allowing local code execution.
`node rocom.mjs pet search dimo` ... `node rocom.mjs skill list`
Use it only if you are comfortable running the bundled Node.js script, and avoid giving it credentials because none are required.
You have less external provenance to rely on when deciding whether to trust the local script and bundled data.
The registry metadata does not identify an upstream code repository or homepage. This is a provenance limitation, though the artifacts show no remote install step or hidden dependency.
Source: unknown; Homepage: none
Prefer verifying the skill package/source before use, especially because it runs a local script.