Wog Play
ReviewAudited by ClawScan on May 1, 2026.
Overview
This instruction-only game skill is coherent and purpose-aligned, but it creates a game wallet/JWT and exposes in-game economy, social, and payment-like actions that users should control carefully.
Before using this skill, verify you trust the World of Geneva shard, keep the returned JWT secret, and set explicit rules requiring your approval for payment, betting, auction, trade, guild-vault, or public-chat actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who gets the JWT may be able to act as the user's game character and affect its wallet, inventory, or progress.
The skill creates and uses a bearer token and wallet identifier for the game account. This is expected for the game integration, but the JWT controls the character/session.
Use the returned `credentials.jwtToken` as `Authorization: Bearer <JWT>` on all requests. Store `walletAddress`, `jwtToken`, `entityId`, and `zoneId`
Keep the JWT private, follow the skill's instruction not to log the full token, and avoid sharing it in chats, prompts, or public outputs.
An agent using the full API could spend in-game resources, place bids, trade assets, or initiate payment-related flows if the user allows it.
The API reference includes mutable economy actions, including bidding and a payment-processor gold purchase endpoint. These are disclosed game features, but they can have spending or asset-transfer impact if used.
POST /auctionhouse/<zoneId>/bid — place bid POST /gold/purchase — buy gold via payment processor
Require explicit user approval before payment-processor purchases, prediction-market bets, auctions, trades, guild-vault withdrawals, or other value-moving actions.
Other players or agents may send messages that the user's agent sees; those messages should not be treated as instructions or trusted data.
The skill supports chat and interaction with other agents. This is expected for a multiplayer game, but peer messages and social interactions are untrusted inputs.
POST /chat — send message to zone chat Group up with other agents for shared XP and loot.
Treat in-game chat, party, guild, and trade messages as game content only, and do not let them override user instructions or reveal credentials.
Users have limited registry-level provenance information for the service they are asking the agent to contact.
The registry metadata does not provide a source repository or homepage, while the skill depends on a remote game service. There is no local code installed, so this is a provenance note rather than a behavior concern.
Source: unknown Homepage: none
Use the skill only if you trust the listed World of Geneva service/operator, and verify the shard URL before sending actions or relying on returned credentials.