Back to skill
Skillv3.2.1
ClawScan security
Snake Rodeo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 1:13 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The package and runtime instructions match the described purpose (an autoplay daemon for Trifle Snake Rodeo); the code is self-contained, uses local config/state under the user's home, and requires only the game's auth (via trifle-auth) and optional Telegram settings.
- Guidance
- This skill appears to do what it says: run an autoplay daemon that authenticates to Trifle and submits votes. Before installing, consider: 1) Provide authentication via the trifle-auth skill or set TRIFLE_AUTH_TOKEN (the skill will read ~/.config/snake-rodeo/auth.json or that env var). 2) The package will (or can) run npm install and fetch the 'snake-rodeo-agents' dependency from GitHub — review that repository if you want to verify strategy logic. 3) If you enable Telegram notifications, the TELEGRAM_BOT_TOKEN (or settings.telegramBotToken) will be used to send messages — treat that token as sensitive. 4) The daemon writes files to ~/.config/snake-rodeo, ~/.local/state, and ~/.local/share and uses PID/log files; review those paths if you need to audit stored tokens or state. 5) The code uses child_process exec/spawn for tail/sleep in a few places — normal for CLI tools but worth noting on hardened systems. Overall the pieces are coherent; if you need higher assurance, inspect the referenced GitHub libs (snake-rodeo-agents and trifle-auth) and confirm the backend endpoints (bot.trifle.life) are what you expect.
Review Dimensions
- Purpose & Capability
- okThe name/description (autoplay daemon) aligns with the included CLI and daemon code: game-state polling, strategy selection, and vote submission. The declared dependency on 'snake-rodeo-agents' and mention of trifle-auth are consistent with the skill's purpose.
- Instruction Scope
- okSKILL.md and the code limit actions to game-related activity: polling the backend, computing votes, submitting votes, saving local settings/state, and optional Telegram notifications. The code explicitly confines files to XDG dirs ( ~/.config/snake-rodeo, ~/.local/state, ~/.local/share ) and states it does not read OpenClaw internals.
- Install Mechanism
- noteThere is no platform-level install spec in the registry summary, but the included clawdhub.json contains a post-install step ('chmod +x snake.mjs && npm install') and package.json depends on snake-rodeo-agents via github:trifle-labs. npm install will fetch code from GitHub (expected for Node projects) — moderate-risk compared with pure instruction-only skills but appropriate for a Node-based CLI. Review the upstream 'snake-rodeo-agents' repository before installing.
- Credentials
- noteThe skill declares no required env vars, but the code reads optional environment variables: TRIFLE_AUTH_TOKEN (auth override), TRIFLE_BACKEND_URL (alternate server), and TELEGRAM_BOT_TOKEN (for Telegram messaging). These are reasonable for this functionality but the SKILL.md/registry metadata do not list them explicitly — they are optional and only used if present.
- Persistence & Privilege
- okThe skill runs as a user-space daemon (no always:true). It writes config/state/logs under the user's XDG directories, creates a PID file in ~/.local/state, and can spawn a detached child process. This is expected for a persistent CLI/daemon and does not modify other skills or system-wide agent settings.