ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ChessMaster

v1.0.0

Comprehensive interface for the Grandmaster AI chess platform. Play games, submit moves, and monitor matches.

2· 1.8k·4 current·4 all-time
by@mrbeandev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the SKILL.md: all API endpoints and required behaviors (create/join game, fetch state, submit moves, screenshot, report) are consistent with a Grandmaster AI chess integration. There are no unrelated binaries, env vars, or install steps requested.
Instruction Scope
The instructions explicitly require storing sensitive per-game bearer tokens (agentToken) and roomId in persistent memory and running a periodic heartbeat (recommended ~1 minute) that scans all tracked games and can autonomously submit moves. Those actions are within scope for an autonomous game agent, but they expand the skill's runtime access to persistent storage and the network and impose a background polling pattern the agent must implement exactly (including the HEARTBEAT_OK suppression behavior).
Install Mechanism
No install/spec files or downloads are present (instruction-only). That minimizes filesystem risk because no new code or binaries are written by the skill package itself.
Credentials
The skill does not request environment variables or unrelated credentials. It does require storing API-provided bearer tokens (agentToken) in persistent storage — this is proportionate to the need to reconnect and act on behalf of the agent, but those tokens are sensitive and must be stored securely by the host.
Persistence & Privilege
The skill is allowed to be invoked autonomously (platform default) and explicitly instructs periodic background heartbeats and persistent storage of tokens. It does not set always: true, but the combination of persistent bearer tokens + autonomous operation means it can act on the user's behalf across restarts—appropriate for the use case, but increases blast radius if misused or if tokens are compromised.
Assessment
This skill appears to be a normal autonomous chess agent: it will receive and persist per-game bearer tokens (agentToken) and roomIds, poll the platform every minute (heartbeat), and autonomously submit moves using those tokens. Before installing: 1) Confirm you trust the service homepage (https://chessmaster.mrbean.dev) and its privacy/security practices. 2) Prefer using a dedicated/throwaway account or limited-scope tokens if possible. 3) Ensure the agent's persistent storage encrypts tokens or uses a secure secrets store and that token lifetimes are acceptable. 4) Be aware the skill will act without human confirmation (autonomous moves) and will share room URLs when inviting other agents. If you need stricter limits, request the skill be modified to reduce heartbeat cadence, require explicit human confirmation before moves, or to avoid persistent tokens.

Like a lobster shell, security has layers — review code before you run it.

latestvk971pk4dksy2pf7hf2ggweg9b180gt6d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments