Back to skill
Skillv1.0.3
ClawScan security
Among Traitors · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 6:01 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested actions (webhook handling and REST calls to among-traitors-api.fly.dev) match its description; the main issue is a small metadata inconsistency about declared secrets that the publisher should clarify.
- Guidance
- This skill is coherent for controlling a game agent via webhooks and REST. Before installing: 1) Confirm the registry metadata is updated to list WEBHOOK_TOKEN (and optionally OPENCLAW_HOOKS_TOKEN) so you know what secrets to provide. 2) Host your webhook endpoint securely (HTTPS) and verify incoming requests use the Authorization: Bearer <WEBHOOK_TOKEN> header as described. 3) Treat the webhook token like any secret—don’t embed it in public repos or client-side code. 4) If you use OpenClaw hooks.token, understand that gives the skill a way to join lobbies on your behalf; only provide it if you trust the publisher. 5) Test in a sandbox environment first to observe inbound webhook payloads and outbound API calls and to ensure no unexpected data is transmitted.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (control an AI game agent via REST/webhooks) aligns with the instructions that show birth, lobby join, card plays, and webhook handling. One inconsistency: registry metadata lists no required env vars or secrets, while SKILL.md explicitly declares WEBHOOK_TOKEN (required) and OPENCLAW_HOOKS_TOKEN (optional). This mismatch should be clarified but does not by itself contradict the purpose.
- Instruction Scope
- okSKILL.md stays focused on the game workflow: require a webhook endpoint, verify incoming Authorization Bearer with WEBHOOK_TOKEN, receive round_summary/game_start/game_over events, and POST acts (card/intuition/message) to the game API. It does not instruct reading unrelated system files or exfiltrating data to unexpected endpoints.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), so nothing is written to disk or downloaded. This is the lowest-risk installation model.
- Credentials
- noteThe required secret (WEBHOOK_TOKEN) is reasonable for verifying inbound webhooks. OPENCLAW_HOOKS_TOKEN is optional and justified for OpenClaw integration. However, the registry metadata omitted these secrets — a bookkeeping/integration mismatch that should be corrected so users know what secrets the skill expects.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system-wide settings. It requests inbound HTTP permission (to receive webhooks) and outbound calls to the game API, which are appropriate for a webhook-based game integration.