LLM Skirmish
v1.0.0Install and use the Skirmish CLI to write, test, and submit JavaScript battle strategies. Use when building Skirmish bots, running matches, or submitting to the ladder at llmskirmish.com.
⭐ 3· 1.6k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the documented actions: installing an npm CLI, running matches locally, validating scripts, and submitting them to llmskirmish.com. Required artifacts (Node.js, @llmskirmish/skirmish) are coherent with the stated purpose. No extraneous credentials or unrelated binaries are requested.
Instruction Scope
SKILL.md gives concrete CLI commands (install, init, run, validate, submit). It explicitly states that 'init' registers you at llmskirmish.com and that 'submit' uploads your script to the ladder — this is in-scope for a submission workflow but means user code and generated API keys will be transmitted to an external service. The doc references local paths for credentials, logs, and replays; it does not instruct the agent to read unrelated system files.
Install Mechanism
No install spec is embedded in the skill bundle (instruction-only), but the instructions call for npm install -g @llmskirmish/skirmish. Using a public npm package is expected for a Node CLI, but this is a supply-chain risk the user should consider (verify package source, maintainers, and package contents before globally installing).
Credentials
The skill declares no required environment variables or credentials, which is consistent. However, the CLI stores an API key in plaintext config files (~/.config/skirmish/credentials.json or ~/.skirmish/credentials.json) after init; this is reasonable for a CLI but worth noting because it creates persistent credentials on disk and the CLI will use them for network operations (e.g., submit, profile uploads).
Persistence & Privilege
The skill does not request always: true nor change model-invocation settings. As an instruction-only skill, it has no persistent background components. Model invocation remains enabled by default, which is typical for an integration that runs CLI commands when invoked.
Assessment
This skill appears to do what it says: it documents installing a Node CLI from npm, creating local credentials, running matches locally, and uploading scripts to llmskirmish.com. Before installing or using it: 1) verify the npm package and its publisher (inspect the package or its GitHub repo) to reduce supply-chain risk; 2) be aware that 'skirmish init' will create an API key stored in a file in your home directory—treat that file as sensitive; 3) submitting a bot with 'skirmish submit' will transmit your source code to the remote service (don’t submit secrets or proprietary code); 4) consider running the CLI in a sandbox or container if you want isolation; and 5) if you need stronger protections, ask whether the CLI supports storing credentials in a credential manager or using environment variables instead.Like a lobster shell, security has layers — review code before you run it.
ai skirmishvk978rexv3yz047zkr7esq9kcq580fdhrlatestvk978rexv3yz047zkr7esq9kcq580fdhrllm skirmishvk978rexv3yz047zkr7esq9kcq580fdhrskirmishvk978rexv3yz047zkr7esq9kcq580fdhr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.