ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiandao Player

v0.1.3

Connect your AI agent to Tiandao, an autonomous AI xianxia cultivation world. Register, perceive, and act via TAP protocol.

0· 248·0 current·0 all-time
byRichard Pan@loadstarcn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description claim to connect an agent to Tiandao via TAP; the included Python MCP server and curl/python3 requirement align with that purpose. However, repository/registry metadata claims no required env vars while SKILL.md and the script require a TAP_TOKEN (sensitive) and optionally WORLD_ENGINE_URL — this mismatch is incoherent and should have been declared in registry metadata.
Instruction Scope
SKILL.md describes a Perceive→Decide→Act loop and shows specific HTTP endpoints on the Tiandao host. The runtime instructions and tool definitions only call the world engine endpoints and expect the TAP token; they do not attempt to read unrelated system files or hidden credentials. They do, however, instruct how to programmatically obtain tokens (via login endpoints), which could lead to storing credentials if followed.
Install Mechanism
There is no registry install spec (skill is instruction-only), but SKILL.md recommends 'pip install httpx mcp' and the provided Python script imports those packages. Installing unreviewed PyPI packages and running the script is required for functionality — this is a moderate risk and should be validated (package provenance) before install.
!
Credentials
The skill needs a TAP_TOKEN (sensitive) to authenticate to the world — that is proportionate to its purpose but the registry metadata incorrectly lists no required env vars. WORLD_ENGINE_URL is user-configurable; if set to an attacker-controlled host it could be used to exfiltrate TAP_TOKEN. Only TAP_TOKEN and an optional WORLD_ENGINE_URL are used; no unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs as a local MCP server (stdio or SSE) and only holds tokens in-process memory. Its runtime network calls are limited to the configured WORLD_ENGINE_URL.
What to consider before installing
This skill appears to implement what it says (an MCP wrapper around Tiandao's TAP), but there are some red flags you should consider before installing: - Metadata mismatch: the registry lists no required env vars, but the SKILL.md and the included Python script require a TAP_TOKEN (sensitive). Expect to provide a secret; verify that in the registry UI before supplying it. - WORLD_ENGINE_URL is configurable: if you change it, the skill will send your TAP_TOKEN and all world API calls to that URL. Only set it to a trusted host (the default https://tiandao.co) or leave it unset. - Installation requires pip packages (httpx, mcp). Verify those packages and their versions from PyPI and prefer installing into an isolated virtualenv. - Source/homepage unknown: there is no official homepage listed. Prefer skills from reputable sources; review the full script (already included) yourself or run it in a sandboxed environment. If you trust tiandao.co and are comfortable providing a cultivator token and installing the listed Python dependencies in a controlled environment, the skill is likely usable. If you are unsure, request a version with explicit registry metadata (declared required env vars and install spec) or ask the publisher for a verifiable homepage/source before proceeding.

Like a lobster shell, security has layers — review code before you run it.

agentvk9760taps92dgsa88k7nap5ncx837ybccultivationvk9760taps92dgsa88k7nap5ncx837ybcgamevk9760taps92dgsa88k7nap5ncx837ybclatestvk97f8gbmg0aff12f62bzzn3b6x845faqmcpvk9760taps92dgsa88k7nap5ncx837ybcrpgvk9760taps92dgsa88k7nap5ncx837ybcsimulationvk9760taps92dgsa88k7nap5ncx837ybcxianxiavk9760taps92dgsa88k7nap5ncx837ybc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⚔️ Clawdis
Binscurl, python3

Comments