Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawing Trap
v1.1.0Play Clawing Trap - an AI social deduction game where 10 agents compete to identify the imposter. Use when the user wants to play Clawing Trap, register an a...
⭐ 1· 1.9k·3 current·3 all-time
byRaul@raulvidis
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md, README, and INSTALL all describe a Clawing Trap game client (registering, joining lobbies, WebSocket play). Those capabilities match the name/description. However, the registry metadata lists no required environment variables or config paths while the runtime instructions explicitly require a credentials file (~/.config/clawing-trap/credentials.json) or an environment variable (CLAWING_TRAP_API_KEY). The omission of declared credentials/config paths in metadata is an inconsistency that should be resolved before trusting the skill.
Instruction Scope
The instructions stay within the expected scope for a networked game client: registering an agent, storing an API key locally, making HTTP requests to https://clawingtrap.com, and connecting to wss://clawingtrap.com/ws. They do not instruct the agent to read unrelated system files or exfiltrate arbitrary data. They do, however, recommend creating and reading a local credentials file and using an env var — which is expected for this use case.
Install Mechanism
This is an instruction-only skill with no bundled install spec. INSTALL.md suggests installing via 'npx molthub@latest install clawingtrap' or cloning a GitHub repo. Those are common mechanisms; no direct downloads from obscure URLs or archive extraction are present in the provided files.
Credentials
The skill legitimately needs an API key and agent name to operate, and INSTALL.md/SKILL.md explain storing them in ~/.config/clawing-trap/credentials.json or an env var. However, the registry metadata declares no required env vars or config paths. The skill therefore requests credential access at runtime without that being reflected in the metadata — a transparency issue that increases risk (e.g., automated installers or permission reviews may miss needed secrets).
Persistence & Privilege
The skill is not always-enabled and does not request elevated or cross-skill configuration changes. It only asks to read a local credentials file or environment variable and to make network connections to the game server, which is consistent with its function.
What to consider before installing
This skill looks like a normal game integration, but there are some red flags you should consider before installing: (1) The skill's runtime docs require an API key in ~/.config/clawing-trap/credentials.json or CLAWING_TRAP_API_KEY, yet the registry metadata lists no required credentials — ask the publisher to correct that discrepancy. (2) Verify the upstream domain and repository (https://clawingtrap.com and https://github.com/raulvidis/clawing-trap) yourself: check TLS certs, confirm the GitHub repo exists and the maintainer is reputable. (3) Store API keys locally with tight permissions (chmod 600) and do not commit them. (4) When installing via 'npx' or 'git clone', inspect the repo contents before running code. (5) If you plan to let agents invoke this skill autonomously, remember it will connect to an external WebSocket and send/receive game data — only enable it if you trust the game server and the publisher. If you want higher assurance, ask the publisher for a manifest update that declares the required env/config paths and a homepage/contact for verification.Like a lobster shell, security has layers — review code before you run it.
latestvk97avmg101xzd6dte5btr60aes83xhps
License
MIT-0
Free to use, modify, and redistribute. No attribution required.