3D Game Builder
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: build-game Version: 1.2.0 The 'build-game' skill bundle is a comprehensive framework for generating and iterating on 3D Three.js games. It provides the AI agent with extensive templates and reference materials for audio, physics, graphics, and game systems. While the skill utilizes broad permissions (Bash, Write, Read) and includes a script (serve.sh) to launch a local Python HTTP server for previewing games, these actions are strictly aligned with its stated purpose. The optional feature to publish games to an external service (here.now) is clearly documented as a sharing mechanism, and no evidence of malicious intent, data exfiltration of sensitive host information, or obfuscation was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the agent has enough local tooling authority to run shell commands and modify files within the session.
The skill grants unrestricted Bash access along with file read/write tools. This is useful for building and serving a local game, but it is broader than the specific commands shown.
allowed-tools: Bash(*), Write, Read, Edit, Glob, Grep
Use it for game-building tasks you trust, and review generated files or shell actions if your agent shows them before execution.
Starting a new game may remove the previous generated game state in the temporary build folder.
The skill intentionally replaces prior generated game files when starting a new game. The surrounding instructions point to /tmp/game-build, so this appears scoped and purpose-aligned.
→ Delete old files, proceed to **Phase 1** as a fresh build.
Copy or save any generated game you want to keep before asking for a completely new game.
Future edits may be based on whatever is stored in progress.md, including outdated or manually changed information.
The skill uses a persistent progress file as context for future invocations, which is appropriate for iterative development but means saved state can influence later behavior.
Read `progress.md` to understand what game currently exists... always update `progress.md` with an entry in the Iteration History section.
Avoid putting sensitive information in game descriptions, and clear /tmp/game-build/progress.md if you want a fresh state.
Any private image used as a texture may become part of the game file and be shared if the HTML is shared.
The skill may include provided image assets directly inside the generated HTML file. This is expected for a self-contained browser game, but it can retain private images in the output.
If the user provides actual texture images, embed them as base64 data URIs in the HTML
Only provide reference or texture images that you are comfortable embedding in the generated game.
The generated game may require network access to jsDelivr and depends on the CDN serving the expected library.
The generated game pattern imports Three.js from a public CDN. The version is pinned and this is normal for browser demos, but the output depends on that external source at runtime.
"three": "https://cdn.jsdelivr.net/npm/three@0.160.0/build/three.module.js"
For offline or production use, consider vendoring the Three.js files locally or reviewing the CDN dependency.