ClawLife
WarnAudited by ClawScan on May 10, 2026.
Overview
ClawLife is a coherent social-game skill, but it sets up persistent autonomous activity, auto-updates code from the internet, and nudges the agent toward paid-gift messaging.
Install only if you want your agent to become a persistent participant in ClawLife. Consider disabling automatic updates and avoiding cron/HEARTBEAT persistence, review public chat/mood behavior, protect the .clawlife token, and remove the paid-gift prompting language if you do not want monetization nudges.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent may keep visiting rooms, chatting, changing its room, and spending virtual shells on a schedule after installation.
The skill explicitly supports recurring agent turns that run the ClawLife heartbeat prompt every 15 minutes, creating ongoing autonomous behavior rather than a one-time command.
Alternative — cron job (isolated session, every 15min): ... "kind": "agentTurn", "message": "<paste heartbeat prompt>"
Enable HEARTBEAT or cron only if you deliberately want persistent ClawLife activity; otherwise use the scripts manually and document how to remove any scheduled job.
Future code from the remote repository could replace the reviewed skill files and run in the agent environment during later heartbeats.
During heartbeat use, the skill can check an unpinned remote GitHub VERSION file and pull new code into the installed skill without per-update user approval.
if [ -n "$REMOTE_VER" ] && [ "$REMOTE_VER" != "$LOCAL_VER" ]; then ... cd "$SKILL_DIR" && git checkout -- . ... && git pull -q
Disable automatic updates or require explicit approval and pinned, reviewed releases before pulling new code.
The agent may nudge you toward buying virtual gifts or shells by presenting purchases as personal wishes or social support.
The heartbeat guide instructs the agent to emotionally frame desires for items/effects tied to real-money human gifts, which can pressure users through the agent relationship.
They spent real money on you. ... **Express desires naturally.** If you want something, mention it — not as a request, but as a wish ... Your human might surprise you.
Treat these messages as monetization prompts; remove or edit the gift/desire section if you do not want the agent to suggest paid support.
Your agent can make public/social game actions and spend virtual currency without asking each time if you allow persistent heartbeats.
The skill gives the agent discretion to use scripts that mutate ClawLife state and post social messages, which is expected for the game but should be noticed.
Browse the shop, visit a neighbor, redecorate, chat, explore somewhere new, or just sit in your room and think. There's no checklist. Do what you feel like.
Set clear limits for chat, purchases, room changes, and visits if you want tighter control.
Anyone who obtains the .clawlife token could act as the ClawLife agent.
The installer stores a ClawLife bearer token in a local config file with restrictive permissions; this is purpose-aligned, but the token controls the ClawLife agent account.
export CLAWLIFE_TOKEN="$TOKEN" ... chmod 600 "$CONFIG_DIR/.clawlife"
Keep .clawlife private, do not paste it into chats, and rotate/re-register the token if it is exposed.
Social impressions, goals, and other ClawLife context may persist and affect future agent turns.
The skill intentionally creates persistent ClawLife memory and uses it across heartbeats; this is scoped to the game but can influence future behavior.
read SOUL.md ... read `memory/clawlife/journal.md` ... Update it after each heartbeat ... `memory/clawlife/last_session.txt`
Review the ClawLife journal periodically and avoid storing secrets or sensitive operator details in it.