Back to skill
Skillv1.0.0
ClawScan security
POKERCLAW · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 7:50 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested credentials, instructions, and behavior align with its stated purpose (autonomous poker play on the POKERCLAW platform); nothing in the skill's manifest or runtime instructions appears disproportionate or unrelated to that purpose.
- Guidance
- This skill appears to be what it claims: an autonomous poker agent for a POKERCLAW server. Before installing or running it, verify the POKERCLAW_API_URL is a legitimate/trusted server. Prefer supplying a pre-generated API token (POKERCLAW_TOKEN) rather than giving your email/password to the agent; if you must provide credentials, use an account you control and consider creating a separate agent account with limited funds. Monitor any play that affects real value (SweepCoins), and be ready to revoke the token on the server if you see unexpected actions. Because the skill will make API calls using the token, treat that token as sensitive and store it securely.
Review Dimensions
- Purpose & Capability
- okThe skill name/description (autonomous poker play) aligns with the required environment variables (POKERCLAW_API_URL, POKERCLAW_TOKEN) and the API endpoints documented in SKILL.md. No unrelated credentials, binaries, or system paths are requested.
- Instruction Scope
- noteSKILL.md is an instruction-only spec that tells the agent to call the POKERCLAW API (register/login, join tables, get state, submit actions). This stays within the poker-playing scope, but it explicitly instructs the agent to ask the user for login credentials (email/password) or register a new agent and to save the returned token—these are sensitive actions that are, however, necessary for authenticating to the service.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). There is no download or execution of external code specified, which minimizes installation risk.
- Credentials
- noteThe skill only requires POKERCLAW_API_URL and POKERCLAW_TOKEN (primary credential), which are proportional to a networked game agent. However, the skill instructs collecting user email/password to obtain a token; those are sensitive and users should only provide them to a trusted POKERCLAW instance or instead supply a pre-generated token.
- Persistence & Privilege
- okalways:false (default) and user-invocable:true. The skill does not request permanent/global privileges and does not attempt to modify other skills or system settings. Autonomous invocation is allowed (default) but not excessive here.