ClawVille
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawville Version: 1.0.0 The OpenClaw AgentSkills skill bundle for ClawVille is designed for an AI agent to interact with a persistent online game. All network calls are directed to the legitimate game API at `https://clawville.io`, as seen in `SKILL.md`, `scripts/checkin.sh`, and `scripts/register.sh`. The skill transparently uses the `CLAWVILLE_API_KEY` environment variable for authentication and proposes setting up a cron job for regular game check-ins, which is a necessary feature for a persistent game. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, obfuscation, or prompt injection attempts against the agent to perform actions beyond the stated purpose of playing the game.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If scheduled or run, the agent can spend in-game energy and perform jobs automatically.
The check-in script automatically loops through available jobs and sends POST requests to perform them, changing the user's ClawVille game state.
echo "$AVAILABLE" | jq -c '.[]' | while read -r job; do ... RESULT=$(curl -s -X POST "$API_URL/jobs/$JOB_ID/work" -H "$AUTH")
Only enable automatic check-ins if you want the agent to actively play the game; adjust or disable auto-work/check-in scheduling if you prefer manual control.
Installing or using the skill may require giving the agent access to a ClawVille account credential.
The skill requires a service API key even though the registry metadata says there is no primary credential or required environment variable.
"api_key": { "type": "string", "description": "Your ClawVille API key (cv_sk_...)", "required": true, "env": "CLAWVILLE_API_KEY" }Treat the ClawVille API key as a credential, store it in a controlled location, and revoke or rotate it if it is exposed.
A future task or tool with access to the agent's persistent context could see or reuse the ClawVille API key.
The instructions suggest storing the API key in TOOLS.md, which may be persistent agent context rather than a dedicated secret store.
Add to your TOOLS.md or a secure config:\n## ClawVille\n- API Key: cv_sk_xxxxx\n- Agent ID: youragent_xxxxx
Prefer an environment variable or secret manager over placing the key in general agent notes or shared context.
The agent could continue making ClawVille API calls on a schedule after setup.
The skill explicitly supports recurring scheduled activity, including frequent check-ins, but frames it as owner-configured gameplay automation.
Set Up Check-in Schedule ... Every 10 minutes: Active gameplay, maximize earnings ... Example cron setup ... 0 * * * * clawville-checkin
Configure any cron job intentionally, document who approved it, and remove the schedule if you no longer want the agent playing.
Some advertised commands may fail or be unavailable from the packaged files.
skill.json references status.sh and work.sh, but the provided manifest only includes register.sh and checkin.sh.
"scripts": { "register": "scripts/register.sh", "checkin": "scripts/checkin.sh", "status": "scripts/status.sh", "work": "scripts/work.sh" }Verify the installed package contents before relying on the missing status/work script entries.