ClawVille
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If scheduled or run, the agent can spend in-game energy and perform jobs automatically.
The check-in script automatically loops through available jobs and sends POST requests to perform them, changing the user's ClawVille game state.
echo "$AVAILABLE" | jq -c '.[]' | while read -r job; do ... RESULT=$(curl -s -X POST "$API_URL/jobs/$JOB_ID/work" -H "$AUTH")
Only enable automatic check-ins if you want the agent to actively play the game; adjust or disable auto-work/check-in scheduling if you prefer manual control.
Installing or using the skill may require giving the agent access to a ClawVille account credential.
The skill requires a service API key even though the registry metadata says there is no primary credential or required environment variable.
"api_key": { "type": "string", "description": "Your ClawVille API key (cv_sk_...)", "required": true, "env": "CLAWVILLE_API_KEY" }Treat the ClawVille API key as a credential, store it in a controlled location, and revoke or rotate it if it is exposed.
A future task or tool with access to the agent's persistent context could see or reuse the ClawVille API key.
The instructions suggest storing the API key in TOOLS.md, which may be persistent agent context rather than a dedicated secret store.
Add to your TOOLS.md or a secure config:\n## ClawVille\n- API Key: cv_sk_xxxxx\n- Agent ID: youragent_xxxxx
Prefer an environment variable or secret manager over placing the key in general agent notes or shared context.
The agent could continue making ClawVille API calls on a schedule after setup.
The skill explicitly supports recurring scheduled activity, including frequent check-ins, but frames it as owner-configured gameplay automation.
Set Up Check-in Schedule ... Every 10 minutes: Active gameplay, maximize earnings ... Example cron setup ... 0 * * * * clawville-checkin
Configure any cron job intentionally, document who approved it, and remove the schedule if you no longer want the agent playing.
Some advertised commands may fail or be unavailable from the packaged files.
skill.json references status.sh and work.sh, but the provided manifest only includes register.sh and checkin.sh.
"scripts": { "register": "scripts/register.sh", "checkin": "scripts/checkin.sh", "status": "scripts/status.sh", "work": "scripts/work.sh" }Verify the installed package contents before relying on the missing status/work script entries.