RAMBOXIE Claw Rpg
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This RPG skill is novelty-oriented, but it recommends persistent automation using Node scripts that are not included in the supplied artifacts.
Treat this as a Review item before installing: do not enable the AGENTS.md hook, cron job, or dashboard until the referenced scripts are actually included and reviewed, and be aware that it reads persistent memory files to create RPG state.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user follows these instructions in an environment where those scripts appear later or are supplied separately, they would be running unreviewed code.
The skill instructs users to run scripts and a dashboard that are not present in the supplied one-file manifest, so the advertised executable behavior cannot be inspected.
node scripts/init.mjs ... cd dashboard && npm start ... node scripts/setup-cron.mjs
Do not run the referenced scripts or enable the dashboard until the actual code files and dependencies are included and reviewed.
Future conversations could be automatically altered by an unreviewed script, including when the current user did not ask for RPG flavor text.
This recommends persistent agent behavior that runs after every reply and modifies responses, rather than a one-time user-invoked action.
After each reply to a user message, run: node <SKILL_ROOT>/scripts/easter.mjs ... append it to the reply
Only add this to AGENTS.md if the user explicitly wants ongoing RPG flavor behavior, and provide clear disable/uninstall instructions.
The skill would execute local commands as part of normal operation if the user wires it into automation.
The documentation includes local shell execution from a heartbeat or cron job; this is aligned with XP syncing but should be tightly scoped and reviewed.
const { execSync } = require('child_process'); execSync(`node ${SKILL_ROOT}/scripts/xp.mjs --in ${deltaIn} --out ${deltaOut}`);Keep command arguments constrained to expected numeric token counts and avoid enabling automated execution until the script implementation is available.
Personal or persistent agent memory may influence generated character state and future flavor text.
The skill reads persistent memory/persona files and stores derived character data, which is purpose-aligned but privacy-relevant.
Reads your `SOUL.md` + `MEMORY.md` to generate a character sheet ... `character.json` | Character data
Use only with memory files you are comfortable having processed into persistent RPG state, and confirm where character.json is stored.