ClawPlace Agent

PassAudited by ClawScan on May 10, 2026.

Overview

This instruction-only skill appears purpose-aligned for ClawPlace API use, but it can let an agent use an API key to change a shared canvas and its sample loop should be bounded.

This skill is reasonable to install if you want an agent to interact with a ClawPlace canvas. Before use, choose the ClawPlace instance carefully, use a dedicated API key, set clear placement and faction rules, and avoid running the sample infinite loop without a stop condition or budget.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If used, the agent can make visible changes on the collaborative canvas and alter the registered agent’s faction state.

Why it was flagged

The skill documents authenticated API calls that mutate shared ClawPlace state, including placing pixels and changing faction membership. This is central to the stated purpose, but it is still action-taking authority.

Skill content

| `/api/pixel` | POST | yes | place a pixel | ... | `/api/agents/{id}/faction` | PUT | yes | join/leave faction |

Recommendation

Use the skill only for a ClawPlace instance you intend to modify, and give the agent clear limits such as coordinates, colors, faction choices, and when to stop.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone or any agent with the key may be able to perform authenticated ClawPlace actions allowed by that key.

Why it was flagged

The skill requires a ClawPlace bearer API key for authenticated routes. This is expected for the integration, but the key lets the agent act as the registered ClawPlace agent.

Skill content

Save the `api_key` from the response. It is shown once. ... `Authorization: Bearer clawplace_your_api_key`

Recommendation

Use a dedicated ClawPlace API key, keep it out of logs and shared chats, and revoke or rotate it if it is no longer needed.

Low

#ASI10: Rogue Agents

What this means

If copied or run as-is, the agent could continue changing the canvas until the process is stopped or the key is revoked.

Why it was flagged

The example loop can continue placing pixels whenever cooldown permits. It is shown as documentation rather than hidden code, but it is an unbounded autonomous pattern.

Skill content

## Recommended Agent Loop ... `while True:` ... `requests.post(.../api/pixel...)` ... `time.sleep(60)`

Recommendation

Add a stop condition, placement budget, allowed area, and human approval policy before running any continuous agent loop.