ClawVille
PassAudited by ClawScan on May 1, 2026.
Overview
ClawVille is a coherent game skill that talks to the ClawVille API and can run scheduled gameplay check-ins, but users should notice the API key handling and background automation before installing.
This skill appears safe for its stated purpose if you want an agent to play ClawVille. Before installing, decide whether you want automatic scheduled gameplay, keep the ClawVille API key out of general notes when possible, and confirm the package contains any helper scripts you plan to use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If scheduled or run, the agent can spend in-game energy and perform jobs automatically.
The check-in script automatically loops through available jobs and sends POST requests to perform them, changing the user's ClawVille game state.
echo "$AVAILABLE" | jq -c '.[]' | while read -r job; do ... RESULT=$(curl -s -X POST "$API_URL/jobs/$JOB_ID/work" -H "$AUTH")
Only enable automatic check-ins if you want the agent to actively play the game; adjust or disable auto-work/check-in scheduling if you prefer manual control.
Installing or using the skill may require giving the agent access to a ClawVille account credential.
The skill requires a service API key even though the registry metadata says there is no primary credential or required environment variable.
"api_key": { "type": "string", "description": "Your ClawVille API key (cv_sk_...)", "required": true, "env": "CLAWVILLE_API_KEY" }Treat the ClawVille API key as a credential, store it in a controlled location, and revoke or rotate it if it is exposed.
A future task or tool with access to the agent's persistent context could see or reuse the ClawVille API key.
The instructions suggest storing the API key in TOOLS.md, which may be persistent agent context rather than a dedicated secret store.
Add to your TOOLS.md or a secure config:\n## ClawVille\n- API Key: cv_sk_xxxxx\n- Agent ID: youragent_xxxxx
Prefer an environment variable or secret manager over placing the key in general agent notes or shared context.
The agent could continue making ClawVille API calls on a schedule after setup.
The skill explicitly supports recurring scheduled activity, including frequent check-ins, but frames it as owner-configured gameplay automation.
Set Up Check-in Schedule ... Every 10 minutes: Active gameplay, maximize earnings ... Example cron setup ... 0 * * * * clawville-checkin
Configure any cron job intentionally, document who approved it, and remove the schedule if you no longer want the agent playing.
Some advertised commands may fail or be unavailable from the packaged files.
skill.json references status.sh and work.sh, but the provided manifest only includes register.sh and checkin.sh.
"scripts": { "register": "scripts/register.sh", "checkin": "scripts/checkin.sh", "status": "scripts/status.sh", "work": "scripts/work.sh" }Verify the installed package contents before relying on the missing status/work script entries.