Skillv3.0.0

ClawScan security

Claw Rpg · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 26, 2026, 1:12 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions mostly match an RPG/dashboard use case, but there are multiple mismatches between what it declares and what it actually expects/does (undeclared runtime requirements, undeclared notification credentials, persistent filesystem moves and cron setup, and a recommended per-reply hook) that warrant manual review before installing or enabling it broadly.
Guidance: This skill implements the advertised RPG and dashboard, but there are several mismatches and potentially high-impact behaviors you should review before installing or enabling it: - Node/npm required but not declared: the skill runs `node` scripts and asks you to run `npm install`/`npm start` for the dashboard. Make sure your environment has a trusted Node runtime and inspect the scripts before running them. - Telegram/notification credentials are not declared: the README mentions Telegram reports but the registry metadata lists no required env vars. Search scripts/_notify.mjs and report.mjs to see how the bot token/chat id are supplied (env var vs config file) and avoid putting any shared or sensitive secrets into those locations until you verify behavior. - Persistent save location & auto-migration: scripts will create and move character.json to ~/.openclaw/workspace/claw-rpg, which survives reinstalls. If you don't want persistent user-visible files, do not run the init/migration scripts or review and change paths first. - Cron setup: setup-cron.mjs can add scheduled tasks. Review its code to confirm what it writes to your crontab or scheduler; prefer manual cron entries after inspection. - Per-reply integration: the project recommends running easter.mjs after each reply. That gives the skill the ability to alter outgoing replies (appending flavor text) and to update XP/conversation counters. Only wire that into production reply paths after code review and preferably run it in a sandboxed/test agent first. - Network & outbound behavior: audit scripts/_notify.mjs, report.mjs, and any network calls in the codebase to ensure there are no unexpected external endpoints or exfiltration of files (especially from MEMORY.md / USER.md which may contain private info). Concrete next steps: 1) Review scripts/_notify.mjs, setup-cron.mjs, easter.mjs, and xp.mjs for IO and network behavior. 2) Run the code in an isolated environment (local VM or container) and avoid enabling the after-each-reply hook until you confirm it behaves as expected. 3) If you want Telegram reports, create a dedicated bot/account and store its token in a location you control; do not reuse high-privilege tokens. 4) If you don't want persistent state, edit scripts/_paths.mjs or set OPENCLAW_WORKSPACE to a directory you control before running init.mjs.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes generating characters, tracking XP, and running a web dashboard, which matches the included scripts and dashboard. However the registry metadata states no required binaries or env vars, while SKILL.md and the shipped files clearly require Node/npm (commands like `node scripts/*.mjs`, `npm install`, `npm start`) and optionally use environment variables (OPENCLAW_WORKSPACE, PORT). That mismatch (declaring 'none' but shipping Node-based code) is an incoherence: a user installing this should expect to need Node and npm.
Instruction Scope: concernThe instructions advise integrating scripts into agent runtime (run scripts/easter.mjs after every reply), setting up a cron job, and running a local web server exposed to the LAN. Those runtime actions go beyond a passive helper: they write/modify save files, increment conversation counters, award XP automatically, and may send notifications. Recommending an after-each-reply hook gives the skill broad opportunity to modify bot replies and update persistent state — appropriate for the feature but high-impact and deserves careful review before enabling.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only), but the package includes many runnable scripts and a Node-based dashboard that requires `npm install` / `npm start`. This is low-to-moderate risk because code is bundled with the skill (no remote downloads), but the absence of an install step declaration (and missing explicit Node requirement) is an inconsistency users should be aware of.
Credentials: concernSKILL.md and registry metadata declare no required environment variables or primary credential, yet the code reads process.env.OPENCLAW_WORKSPACE and process.env.PORT and the README/SKILL.md references Telegram notifications (config.json and telegram_chat_id). The skill does not declare how Telegram bot credentials are provided, but scripts/_notify.mjs (present in the bundle) likely performs outbound network calls to notify — this is an undeclared credential/network requirement. That gap is suspicious: notification integrations and any outbound endpoints should be explicit so users can control secrets.
Persistence & Privilege: concernThe skill moves and stores save data to a persistent path under the user's home (~/.openclaw/workspace/claw-rpg) and the docs recommend running setup-cron.mjs to create automated jobs. The skill therefore persists state across reinstalls and can schedule recurring tasks on the host. While not necessarily malicious, these are significant privileges (file writes in home + cron modification) and should be considered before granting the skill operational integration into an agent.