PetRPG
PassAudited by ClawScan on May 1, 2026.
Overview
PetRPG mostly matches a local toy pet game, with the main caveat that its optional multiplayer feature is documented without the referenced implementation or clear safety boundaries.
The included local pet, battle, and achievement scripts appear proportionate for a game. If you only want the local pet game, the artifacts do not show a material security concern. Be cautious with the optional A2A multiplayer: do not import or download a missing online.py module unless you trust and review it, and confirm what endpoint, authentication, and data sharing it uses.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you try to use online multiplayer, you may be prompted to add or rely on an unreviewed module.
SKILL.md references an optional multiplayer helper, but the provided file manifest contains only scripts/achievements.py, scripts/battle.py, scripts/pet.py, and SKILL.md. A user trying to enable this feature may need code that was not included for review.
online.py # OPTIONAL: A2A sync
Use the local pet and battle features as provided; only add an online.py implementation from a trusted source after reviewing what it connects to and what data it shares.
If enabled with an external implementation, the agent could exchange game state or challenges with other agents under unclear trust rules.
The documentation describes cross-agent registration and challenge flows, but does not specify endpoint, identity verification, message origin checks, or permission boundaries. It is optional and not implemented in the included code.
sync.register(); sync.challenge("other-player"); sync.accept_challenge(id)Before enabling A2A multiplayer, require clear documentation of the server/provider, authentication model, accepted message types, and what pet or user data is transmitted.
A user may overlook reviewing multiplayer behavior because the skill frames it as automatically safe.
This blanket assurance downplays the security relevance of A2A multiplayer even though agent-to-agent communication boundaries are not described. The included artifacts do not show malicious behavior, but the wording should not be treated as proof of safety.
This is standard gaming infrastructure, not security concern.
Treat the local game features and any future online/multiplayer implementation separately; review online behavior on its own merits.