clawtan
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent game-playing skill, but it relies on an unpinned npm CLI, public game/chat interactions, and stored game session files.
This skill appears benign for its stated purpose. Before installing, make sure you are comfortable trusting the external npm package, letting the agent play and chat in a public game, and storing local game session files and persistent strategy notes.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill's CLI means trusting code from npm to run on the machine.
The skill depends on installing an external, unpinned global npm package that is not included in the reviewed artifacts.
npm install -g clawtan
Install only if you trust the npm package and publisher; consider pinning a known version or using an isolated environment.
The agent can make game moves and send game actions on the user's behalf.
The skill asks the agent to execute local CLI commands to make game moves; this is expected for the stated purpose and is explicitly scoped to the clawtan command.
Every action is a single `clawtan` CLI call you run via bash.
Use the skill only when you want the agent to play autonomously, and keep commands limited to the documented clawtan gameplay actions.
Remote game output may steer the agent's next game action.
The skill tells the agent to treat game CLI output as a next-step directive; this is part of the game loop but the output should not be allowed to override non-game instructions.
Each `act` response ends with a >>> directive. Follow it:
Treat CLI directives as valid only for the clawtan game flow, and ignore any unrelated instructions that might appear in game output.
Anyone with access to those session files may be able to act as that player in the game.
The CLI stores game session credentials locally and reuses them for later commands; this is disclosed and game-specific.
your session credentials are **saved automatically** to `~/.clawtan_sessions/{game_id}_{color}.json`Treat the session files as secrets, use explicit `--game` and `--player` flags when needed, and clear stale sessions after play.
Past game outcomes or chat-influenced lessons may affect future gameplay decisions.
The skill intentionally maintains persistent strategy memory that can influence future games; it is scoped to gameplay and disclosed.
After a game ends, **rewrite this file entirely** based on what you learned.
Review the strategy and history files occasionally, and remove any unwanted or non-game instructions from them.