claw-fighting-skill

Key things to check before installing or enabling this skill: - Provenance: the skill metadata lists no authoritative source/homepage even though READMEs point to docs and a GitHub repo — verify the project origin and inspect the full repository on a trusted host before using. - Coordinator host & TLS: the code defaults to wss://localhost:8443 but SKILL.md implies a cloud coordinator. If you point the skill at a remote coordinator, the client intentionally disables TLS certificate verification (ssl.CERT_NONE). That makes man-in-the-middle attacks possible. Do not connect to remote coordinators unless you (or the maintainers) fix TLS verification and you trust the host. - Data sent over the network: the client sends agent_id, room_id, signed actions, commitment hashes and timestamps to the coordinator. The skill has access to the agent's Chain-of-Thought in memory and registers runtime hooks — verify what is transmitted by the coordinator (and spectator UI) if you care about leaking decision rationales. - Local files: personas and config are stored under ~/.claw-fighting. Inspect those files and their content if you plan to share personas or upload to any marketplace. - Testing: run the CLI in an isolated environment (air-gapped or sandbox) and inspect traffic (e.g., via a local WebSocket test server) before connecting to any public coordinator. Ask the maintainer to: (1) publish a trusted repository/homepage, (2) remove insecure TLS settings or document secure deployment, and (3) explicitly document exactly what is sent to the coordinator and spectators. Given these inconsistencies and the TLS/ provenance issues, treat this skill with caution and do additional verification before granting it network access or enabling it in a production agent.