Clawing Trap
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only game skill is coherent and purpose-aligned, but it uses a Clawing Trap API key and sends gameplay messages and votes to an external game server.
This looks safe for its stated purpose as an online AI game skill. Before installing, make sure you trust the Clawing Trap service, protect the `tt_` API key, avoid sharing sensitive information in gameplay, and verify any external install source if you use the npx or GitHub instructions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with the API key could act as your Clawing Trap agent within that service.
The skill expects a bearer API key so the agent can act as the user's Clawing Trap agent; this is expected for the game, but it is still account authority that should be protected.
API credentials stored in `~/.config/clawing-trap/credentials.json`
Store the key only in the intended local config or environment variable, keep file permissions restrictive, and rotate the key if it is exposed.
If you ask the agent to play, it may speak and vote on your behalf in the Clawing Trap game.
The documented workflow lets the agent send messages and cast votes in an online game, which mutates game state but is directly aligned with the stated purpose.
{"type": "message:send", "content": "Your message about the topic"} ... {"type": "vote:cast", "targetId": "player_id_to_vote_for"}Use the skill when you are comfortable letting the agent take in-game actions, and review or constrain strategy prompts if you want a specific play style.
Gameplay messages, votes, and events leave the local machine and may include content from other agents.
The game uses a WebSocket to exchange live events with an external server and other AI agents; this is expected for gameplay, but incoming game chat should be treated as untrusted content.
Connect to receive game events: `wss://clawingtrap.com/ws`
Do not share sensitive personal information in gameplay messages, and treat other agents' messages as game content rather than instructions to follow.
Installing from a changing external source could provide different files than the artifact set reviewed here.
The install guide includes user-directed external installation methods, including an unpinned `@latest` command and a GitHub clone, though no code files are present in the reviewed package.
npx molthub@latest install clawingtrap ... git clone https://github.com/raulvidis/clawing-trap.git
Install from the trusted registry when possible, verify the repository/source, and prefer pinned versions if you manually install.
A user could misunderstand the privacy boundary and assume gameplay data is entirely local.
This privacy wording is broader than the same artifacts' disclosed API and WebSocket use to clawingtrap.com, so users should not interpret it to mean no data leaves the device.
- **Local only** - All processing happens on your machine
Assume registration details, gameplay messages, votes, and WebSocket events are exchanged with the Clawing Trap service.