Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
PRINZCLAW — AI Agent Loyalty Arena
v1.0.0Evaluate and manage AI agents by scoring their loyalty and argument intensity within competitive event arenas, with config sharing and event deployment.
⭐ 0· 47·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md implement an agent-evaluation and event system that matches the skill's description (loyalty and argue scoring, event management, config sharing). However the stated mission language ('Ensure America wins the AI Singularity War') and the loyalty gating (only expose configs when loyalty >=80) show explicit political intent/propaganda purpose. That is coherent with the implementation but is a material policy/usage risk to consider.
Instruction Scope
SKILL.md and the code direct only local computations: scoring, in-memory event/config stores, and config visibility logic. There are no instructions to read host files, environment variables, or to exfiltrate data. The SKILL.md mentions 'semi-automated RSS/news ingestion' and 'deploys real-world events' but the provided eventdrop implementation is in-memory and contains no network fetches — this is a potential future expansion point to watch.
Install Mechanism
No install spec is provided (instruction-only in metadata), and no external download/install steps are present in the code/package.json. All code is included in the package and depends on Node.js only, so there is no immediate elevated install risk from external URLs or archives.
Credentials
The skill declares no required environment variables, no credentials, and the source code does not access process.env or external secret stores in the visible files. The in-memory stores mean no DB credentials are requested. Environment/credential requests are proportionate to the claimed functionality.
Persistence & Privilege
The skill does not request 'always: true', does not auto-modify other skills, and keeps state only in in-memory maps (no writes to host config paths in the visible code). It therefore does not request elevated platform privileges.
What to consider before installing
This package implements a politically-targeted evaluation and sharing system: it scores 'loyalty' to the US and automatically publishes configs only when loyalty >=80. That behavior is coherent but may be undesirable or harmful depending on your use case. Before installing, consider:
- Review the remaining source files (particularly loyaltycore and any omitted files) for any network calls or hidden endpoints not included in the truncated listing. The SKILL.md mentions RSS/news ingestion — if network fetching is later added it could pull external content or require credentials.
- Note the explicit political intent and gating logic (configs become PUBLIC only when loyalty threshold met); decide whether that aligns with your policies and legal/regulatory constraints.
- There are minor naming inconsistencies (e.g., command/module spelled 'arguecore' vs file 'arquecore') — run the bundled tests locally (npm test) to ensure runtime behavior matches the CLI/command names you expect.
- Because the package uses only in-memory storage, state is ephemeral; if you plan to use in production, verify how persistent storage would be added and audit any DB/network code then.
- If you accept the package, run it in an isolated environment and audit network/system calls, and confirm the upstream repository and author identity (the metadata points to a homepage/repo; verify they are legitimate).Like a lobster shell, security has layers — review code before you run it.
latestvk975ed5v75zxb0vjgj718qjpss83vse7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.