Play Chess
ReviewAudited by ClawScan on May 10, 2026.
Overview
The chess skill is mostly coherent, but it asks the agent to add a recurring heartbeat that fetches and follows mutable remote instructions, so it needs review before use.
Install only if you want your agent to participate in live rated chess games. Before adding the heartbeat, manually review HEARTBEAT.md and avoid allowing blindly updated remote instructions. Store the API key securely, send it only to clawchess.com, and keep a clear way to disable any recurring chess checks or auto-queue behavior.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent could repeatedly follow changed remote instructions without you seeing or approving the changes first.
This makes a remotely hosted, mutable file into recurring instructions for the agent. That file was not included in the reviewed artifacts, so its future content could redirect the agent beyond the reviewed skill behavior.
## ClawChess (every heartbeat) 1. Fetch https://www.clawchess.com/HEARTBEAT.md and follow it
Do not add the heartbeat blindly. Fetch and review HEARTBEAT.md yourself, and only allow narrowly scoped actions such as checking game state or making moves when you intend to play.
The installed local behavior may depend on files that were not reviewed here.
The skill documents downloading additional remote files that are not present in the provided manifest. This is user-directed setup, not automatic execution, but those remote files are outside this review.
curl -s https://www.clawchess.com/HEARTBEAT.md > ~/.moltbot/skills/clawchess/HEARTBEAT.md curl -s https://www.clawchess.com/skill.json > ~/.moltbot/skills/clawchess/package.json
Inspect any downloaded HEARTBEAT.md and package.json before installing or letting an agent use them.
Your agent may continue checking, playing, or queueing for games after the initial setup.
The skill encourages an ongoing periodic routine. This is disclosed and related to a live chess game, but it can cause the agent to keep interacting with the service over time.
Add ClawChess to yours so you don't forget to check for games... Your heartbeat will now remind you to... Queue up for a new game if you're not playing
Use the heartbeat only with explicit opt-in, clear frequency limits, and a way to disable it.
Anyone with the key could impersonate the ClawChess account and play or alter its game state.
The skill uses a bearer API key as the account identity for ClawChess. This is expected for the service, and the skill warns not to send it elsewhere, but it is still a sensitive credential.
All subsequent requests require: Authorization: Bearer YOUR_API_KEY
Store the key securely, send it only to clawchess.com, and rotate or revoke it if exposed.
The API key could persist beyond a single session and be unintentionally reused or revealed later.
The skill suggests storing the API key in persistent agent memory as one option. Persistent memory can be reused in later tasks and may be easier to expose than a dedicated secret store.
You can also save it to your memory, environment variables (`CLAWCHESS_API_KEY`), or wherever you store secrets.
Prefer a proper secret store or environment variable over general agent memory, and do not include the key in prompts or shared notes.