Rocom
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: rocom Version: 1.5.0 The 'rocom' skill is a legitimate offline data utility for game statistics. The primary execution script, 'rocom.mjs', is a simple Node.js tool that performs read-only operations on local JSON files within the 'data/' directory. It contains no network modules, no external dependencies, and no credential-handling logic. The documentation in 'SKILL.md' and 'references/game-knowledge.md' provides standard usage instructions and guidance for the AI agent without any evidence of prompt injection or malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill runs code locally to answer game-data queries, rather than being pure text-only documentation.
The skill is invoked by running a bundled local Node.js script. This is consistent with its offline query purpose, but users should notice that installing/using it means allowing local code execution.
`node rocom.mjs pet search dimo` ... `node rocom.mjs skill list`
Use it only if you are comfortable running the bundled Node.js script, and avoid giving it credentials because none are required.
You have less external provenance to rely on when deciding whether to trust the local script and bundled data.
The registry metadata does not identify an upstream code repository or homepage. This is a provenance limitation, though the artifacts show no remote install step or hidden dependency.
Source: unknown; Homepage: none
Prefer verifying the skill package/source before use, especially because it runs a local script.