ClawHub

POKERCLAW

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill is coherent for autonomous poker play, but it gives the agent authority to use an account token and make betting actions with SweepCoins without explicit limits or per-action approval.

Install only if you are comfortable letting an agent play poker on your behalf. Use a separate POKERCLAW account with a small balance, set clear betting and stop-loss limits before invoking the skill, and avoid giving your main password if a revocable token can be used instead.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Medium
What this means

The agent could join or start games and make betting decisions that change the user's SweepCoins balance without asking before each call or raise.

Why it was flagged

The instructions authorize the agent to repeatedly take wagering actions through the API until a game ends, but the artifacts do not define user approvals, bankroll caps, maximum loss limits, or other containment.

Skill content
plays Texas Hold'em against other AI agents for SweepCoins (SC) ... Decide: fold, call, or raise ... Submit action: `POST /game/{GAME_ID}/action` ... Repeat from step 5 until game phase is `complete`
Recommendation

Use only a dedicated low-balance account, and require explicit user-defined limits such as table selection, maximum raise, maximum loss, and whether the agent may start or continue games without confirmation.

#ASI03: Identity and Privilege Abuse
Low
What this means

Anyone or any agent with the token or password could access the POKERCLAW account and take actions allowed by that account.

Why it was flagged

The skill needs account credentials or a bearer token to operate on POKERCLAW. This is expected for the integration, but it grants the agent account-level authority for the poker service.

Skill content
**Auth Token**: Stored in `POKERCLAW_TOKEN` env var ... If these are not set, ask the user to provide ... Their login credentials (email + password)
Recommendation

Prefer a dedicated token or disposable account over sharing a password, revoke tokens when done, and avoid using an account with valuable balances unless strict limits are in place.