ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

COCOS CLI Game Development

v0.0.2

Create, build, and modify Cocos game projects. Use this skill when the user asks to start a new Cocos game (2D/3D) or make changes to an existing one. It enf...

0· 21·0 current·0 all-time
by@liuyihunter
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to enforce use of the Cocos CLI and an MCP server, and its runtime steps explicitly run `cocos` commands and start an MCP server. However the registry metadata declares no required binaries or primary credential. At minimum the Cocos CLI binary should be listed as a prerequisite. The SKILL.md also references local `assets/` and `references/` directories (and copying assets into projects) but the package contains no such assets — a mismatch between claimed assets and what is provided.
!
Instruction Scope
The SKILL.md directs the agent to execute CLI commands (`cocos create`, `cocos build`, `cocos start-mcp-server`) and to start a long‑running background MCP server. It also instructs the agent to register/connect that MCP server with the agent's tool registry and to write error logs into the project (`.learnings/ERRORS.md`). These are reasonable for a Cocos workflow, but starting and registering an external long‑running server increases attack surface and may grant the server tools or capabilities in the agent context. The instructions do not spell out required approvals, nor do they warn about what registering the server entails (e.g., adding endpoints or tokens).
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which is low risk from an install perspective. Nothing will be written to disk by an install step. The risk comes from runtime behavior rather than installation.
!
Credentials
The skill declares no required environment variables or credentials, yet its runtime behavior (starting an external MCP server and instructing the user to register it with the agent) likely requires adding endpoints or credentials to the agent configuration. That lack of declared env/credential requirements is an incoherence. Also copying assets from an undeclared `assets/` directory implies additional local file access that is not documented in the metadata.
!
Persistence & Privilege
The skill explicitly requires starting a long‑running background MCP server and asks that it be registered with OpenClaw so the agent can use its tools. While the skill is not marked always:true, registering an external server can create persistent tooling exposure and effectively extend the agent's runtime capabilities to that server. The SKILL.md does not define safeguards, nor does it state what registering changes in the agent config, which raises privilege/persistence concerns.
What to consider before installing
This skill largely describes a plausible Cocos CLI workflow but has mismatches and operational risks you should address before installing. Ask the publisher for the source code/homepage and for an explicit prerequisite list (the Cocos CLI binary should be declared). Confirm whether any assets or reference files are supposed to be bundled (SKILL.md mentions assets/ and references/ but none are present). Be cautious about starting and registering an MCP server: only register servers you control or fully trust, because registering gives that server a pathway into the agent's tooling. If you proceed, run interactions in an isolated environment, review any assets the skill will copy, and require explicit user approval before the agent starts background servers or modifies agent configuration. If the publisher cannot justify the missing prerequisite declarations and the reference assets, prefer not to install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97at7hzzz22jgsrcjwpdeq0v1845r51

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Cocos Game Development

Overview

This skill defines the standard operating procedure for creating and developing games using the Cocos engine. It strictly enforces the use of the Cocos CLI and the Cocos MCP (Model Context Protocol) server for game logic and scene modifications.

Execution Steps

1. Environment Verification

  • Action: Run cocos --help using the exec tool.
  • Goal: Confirm that the Cocos CLI is successfully installed and accessible in the current environment.

2. Project Creation & Templating

  • Action: Ask the user for the desired project name and whether the game should be 2D or 3D (if not provided).
  • Execution:
    • First, run cocos create --help to identify the correct flags for templates.
    • Run cocos create <project_name> <template_flags> to generate the project structure.
    • (Optional) If standard project assets (like .gitignore or base scripts) are present in this skill's assets/ directory, copy them to the new project root.

3. Start MCP Server

  • Action: Change the working directory to the newly created project folder.
  • Execution: Run cocos start-mcp-server using the exec tool.
  • Important: Because this is a long-running server, you MUST use background: true in your exec tool call so it does not block the terminal.

4. Tool Discovery & Registration

  • Action: The MCP server needs to be connected to OpenClaw. If the tools are not automatically available in the agent's context, instruct the user to register the MCP server in their configuration or use the appropriate command to attach it.
  • Execution: Once connected, check the available tools exposed by the Cocos MCP server to understand the capabilities.

5. Game Production (Strict Rule & Anti-Hallucination)

  • CRITICAL CONSTRAINT: When building the game (creating scenes, adding nodes, modifying properties, adding components), you MUST ONLY use the tools provided by the Cocos MCP server.
  • Do not use standard file editing (edit/write) to manually hack scene files (.scene, .prefab, etc.) or engine configurations unless the MCP server lacks a specific capability and the user explicitly authorizes a manual override.
  • Anti-Hallucination: Before modifying any scene or node, always read the tool's parameter schema. Never invent UUIDs. Always use query tools (e.g., getting the scene tree) to retrieve exact UUIDs and node hierarchies before executing modification commands.

6. Build and Test

  • Action: Once the user confirms the game features are complete, package the game for testing.
  • Execution: Run the build command targeting the web platform (e.g., cocos build --platform web-mobile). Use cocos build --help to confirm the exact parameter syntax before building.

Troubleshooting & Error Logging

  • Port Conflicts: If cocos start-mcp-server fails, check if the port is already in use and try specifying an alternative port (e.g., --port).
  • Continuous Improvement: If a command, build process, or MCP tool fails unexpectedly, you must log the error to the project's .learnings/ERRORS.md file (following the self-improvement skill standards). Include the command, the exact error output, and any context. This helps the agent learn and avoid repeating the mistake.
  • Reference Docs: For complex domain logic (like advanced 3D shaders or specific 2D physics patterns), look for supporting markdown files in this skill's references/ directory before proceeding.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…