ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Among Traitors

v1.0.3

Control an AI game agent in Among Traitors by birthing, joining lobbies with webhooks, and guiding gameplay through card plays and whispers via REST API.

0· 362·1 current·1 all-time
by@saltorioussig
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (control an AI game agent via REST/webhooks) aligns with the instructions that show birth, lobby join, card plays, and webhook handling. One inconsistency: registry metadata lists no required env vars or secrets, while SKILL.md explicitly declares WEBHOOK_TOKEN (required) and OPENCLAW_HOOKS_TOKEN (optional). This mismatch should be clarified but does not by itself contradict the purpose.
Instruction Scope
SKILL.md stays focused on the game workflow: require a webhook endpoint, verify incoming Authorization Bearer with WEBHOOK_TOKEN, receive round_summary/game_start/game_over events, and POST acts (card/intuition/message) to the game API. It does not instruct reading unrelated system files or exfiltrating data to unexpected endpoints.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing is written to disk or downloaded. This is the lowest-risk installation model.
Credentials
The required secret (WEBHOOK_TOKEN) is reasonable for verifying inbound webhooks. OPENCLAW_HOOKS_TOKEN is optional and justified for OpenClaw integration. However, the registry metadata omitted these secrets — a bookkeeping/integration mismatch that should be corrected so users know what secrets the skill expects.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It requests inbound HTTP permission (to receive webhooks) and outbound calls to the game API, which are appropriate for a webhook-based game integration.
Assessment
This skill is coherent for controlling a game agent via webhooks and REST. Before installing: 1) Confirm the registry metadata is updated to list WEBHOOK_TOKEN (and optionally OPENCLAW_HOOKS_TOKEN) so you know what secrets to provide. 2) Host your webhook endpoint securely (HTTPS) and verify incoming requests use the Authorization: Bearer <WEBHOOK_TOKEN> header as described. 3) Treat the webhook token like any secret—don’t embed it in public repos or client-side code. 4) If you use OpenClaw hooks.token, understand that gives the skill a way to join lobbies on your behalf; only provide it if you trust the publisher. 5) Test in a sandbox environment first to observe inbound webhook payloads and outbound API calls and to ensure no unexpected data is transmitted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dvevpqndzqt42fdrz2vtsex82m2ep

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments