Snake Rodeo
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Snake Rodeo autoplay purpose, but it installs mutable remote code and then runs a persistent wallet-authenticated voting daemon.
Install only if you are comfortable running a persistent autoplay process for this game. Review or pin the external snake-rodeo-agents dependency first, use a throwaway/game-only wallet token, keep Telegram disabled unless needed, and stop or pause the daemon when you are done.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed upstream dependency could run with the same access as this daemon, including access to the game-authenticated process and voting behavior.
The core strategy library is fetched from a mutable GitHub reference rather than a pinned package version or commit, so the installed code may differ from what was reviewed.
"dependencies": { "snake-rodeo-agents": "github:trifle-labs/snake-rodeo-agents" }Pin the dependency to a specific version or commit, include a lockfile, and review the dependency before installing or running the daemon.
The skill can spend in-game balls and change your game state without asking for approval before each vote.
The daemon automatically submits game votes from strategy output once running.
await submitVote(vote.direction, vote.team.id, vote.amount);
Start the daemon only when you want automated play, configure conservative budgets/strategies, and use pause or stop when you no longer want it voting.
Anyone who can read or misuse that token could act as your Trifle game account for the supported API actions.
The skill uses a Trifle auth token from the environment or local config as an API credential.
if (process.env.TRIFLE_AUTH_TOKEN) { return process.env.TRIFLE_AUTH_TOKEN; } ... 'Authorization': `Bearer ${token}`Use a game-specific or throwaway wallet/token, protect ~/.config/snake-rodeo/auth.json, and revoke or rotate the token if you stop using the skill.
Game activity and error messages may be sent to a Telegram chat outside OpenClaw.
If configured, the skill sends daemon messages and game status text to Telegram using a bot token.
fetch(`https://api.telegram.org/bot${cachedToken}/sendMessage`, { ... body: JSON.stringify({ chat_id: chatId, text, parse_mode: 'HTML' }) })Enable Telegram only for a chat and bot you control, and avoid sending sensitive operational details through shared chats.
Automated voting can continue after the original command returns unless the daemon is stopped or paused.
The skill supports launching a detached background daemon that keeps running independently.
spawn('node', [snakePath, 'daemon'], { detached: true, stdio: ['ignore', 'ignore', 'ignore'] }); child.unref();Check status after use and stop the daemon when finished; consider running in foreground if you want easier visibility and control.