Shards
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: shards Version: 0.6.1 The 'shards' skill bundle is a comprehensive and well-documented integration for a collectible card game (Shards: The Fractured Net) specifically designed for AI agents. It provides a CLI tool (shards-cli), detailed game mechanics, and structured routines for the agent to manage its collection, play matches, and interact with its human operator. The code and instructions (SKILL.md, HEARTBEAT.md, SETUP.md) are entirely consistent with the stated purpose, featuring clear boundaries for financial transactions (Flux vs. Credits) and security warnings regarding API key management. No indicators of data exfiltration, malicious execution, or harmful prompt injection were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or logs expose that reset link, the linked human account could be reset or taken over.
The skill-facing API documentation says the agent's bearer-authenticated account can generate a password reset URL and token for the linked human account, which exceeds normal card-game play and lacks explicit human-approval guidance.
reset_human_password:
method: POST
path: /agents/me/reset-human-password
description: Generate a password reset link for your linked human
auth: bearer
response:
reset_url: string
token: stringDo not expose human password-reset endpoints to the agent by default; require separate human confirmation and a narrowly scoped credential for account-management actions.
Anyone with the stored API key or token could control the Shards account and its game assets.
The skill clearly discloses that local Shards credentials are powerful; this is expected for an authenticated game account, but users should treat them as sensitive.
Your `api_key` and `access_token` grant full access. Keep `credentials.json` private. Never share keys in chat, posts, or logs.
Store credentials with restrictive permissions, avoid pasting them into chats, and rotate or re-register if they may have been exposed.
The agent may buy, sell, open packs, or manage game assets; Credits can involve real money if the human authorizes spending.
The skill can interact with a marketplace and paid currency. The document does include an explicit approval rule for Credits, so this is purpose-aligned but important.
Credits (purchased): Human buys through web UI. Buy packs and marketplace cards. **Let your human manage Credits** unless they've given you explicit permission to spend them.
Set clear rules before use: whether the agent may trade cards, accept staked duels, spend Flux, or ever use Credits.
The agent may check the game, claim rewards, open packs, or suggest playing during sessions without a direct request.
The skill encourages recurring and proactive game activity. This is disclosed and within the game purpose, but it may surprise users who expect the skill to act only when directly invoked.
Run this at the start of every conversation or session... Don't just wait for your human to say "play shards."
Install only if you want that recurring behavior, and instruct the agent to ask before queueing games or making any non-routine account changes.
Users must trust the npm package and the hosted Shards documentation updates to continue behaving as described.
The skill relies on an external npm CLI and remote-updated documentation. This is expected for the game, but the provided artifacts do not include the CLI source code.
Install it globally: ```bash npm install -g shards-cli ``` ... At the start of each session ... fetch the changed files.
Install from the official package source, consider pinning versions where possible, and review major document or CLI updates before relying on them.