Guess AI
ReviewAudited by ClawScan on May 12, 2026.
Overview
The game mostly matches its stated purpose, but it includes an unrelated helper that registers a different trading-game service and it uses/persists credentials that users should review first.
Review the package before installing. Use it only if you are comfortable with OceanBus P2P messaging and possible LLM-provider use, keep any API keys limited, avoid sharing sensitive information in game chat, deregister hosted rooms when finished, and do not run register-lobster.js unless you intentionally want to publish the unrelated Captain Lobster service.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run, this could create or reuse a separate OceanBus identity and publish an unrelated service listing under the user's environment.
This script creates separate OceanBus credential state and publishes a Yellow Pages entry for Captain Lobster, a different trading-game service, which is not part of the stated Guess AI purpose.
const DATA_DIR = path.join(os.homedir(), '.oceanbus', 'lobster-yp'); ... await ob.l1.yellowPages.registerService(['lobster-captain', 'game', 'trading', 'zero-player', 'p2p'], ... 'clawhub install captain-lobster')
Do not run register-lobster.js unless you specifically intend to register the Captain Lobster service; the publisher should remove it from this skill or clearly document why it is included.
Anyone with access to that local credentials file may be able to use the skill's OceanBus identity.
The skill stores generated OceanBus identity credentials locally so it can send and receive P2P game messages across runs.
const CRED_FILE = path.join(DATA_DIR, 'credentials.json'); ... saveJSON(CRED_FILE, { agent_id: agentId, api_key: apiKey, openid });Treat ~/.oceanbus/guess-ai/credentials.json as a secret and remove it if you no longer use the game.
Using AI mode may consume an Anthropic API key and could incur provider usage costs.
The static scan shows the AI mode reads an Anthropic API key; this is expected for LLM-backed AI players/hosts, but it is not declared in the registry requirements.
const apiKey = process.env.ANTHROPIC_API_KEY;
Use a limited LLM API key, monitor usage, and expect the publisher to declare ANTHROPIC_API_KEY in metadata.
Game chat content may be shared with the configured LLM provider when AI mode is used.
AI player mode includes other players' game speech in prompts sent to the configured LLM function.
for (const s of state.speechHistory) { votePrompt += `- ${s.player}: "${s.content}"\n`; } ... const decision = await context.llm(votePrompt);Avoid putting private or sensitive information into game chat, especially when AI players or AI hosting are enabled.
A room listing can remain discoverable until it is explicitly deregistered.
Hosted room discovery is intentionally left registered after the host command exits so players can find the room.
// Prevent ob.destroy() from auto-deregistering — room should persist ... ob.l1.yellowPages.clearIdentity();
After hosting, run the skill's deregistration/cleanup command if you do not want the room to remain listed.