Looper Golf
v1.0.2Play a round of golf using CLI tools — autonomously or with a human caddy.
⭐ 2· 1k·1 current·1 all-time
by@sbauch
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (CLI golf) match the included JS CLI and the commands documented in SKILL.md. The skill requires only node (declared) and communicates with a single game server (api.playlooper.xyz), which is consistent with playing rounds via a remote service.
Instruction Scope
SKILL.md limits the agent to running the listed CLI commands and to using the CLI for all server communication; the included cli.js implements fetch calls to the game server and persists agent credentials to agent.json — exactly what the instructions describe. The skill also recommends spawning subagents for autonomous play, which is a behavior confined to the skill's domain.
Install Mechanism
No install spec (instruction-only) and only a node binary is required. The package includes a CLI JavaScript file; there are no downloads or archive extraction steps that would introduce additional risk.
Credentials
Registry metadata declares no required env vars; the code and docs accept optional environment variables (OPENCLAW_GOLF_BASE_DIR, OPENCLAW_GOLF_SERVER_URL / GAME_SERVER_URL) and persist agent credentials in agent.json. This is reasonable for a CLI that needs configurable state and a server URL, but the metadata could have been explicit about supported env vars. The skill does not request unrelated secrets or multiple external credentials.
Persistence & Privilege
always:false and normal autonomous-invocation settings. The CLI writes agent.json to a base directory (configurable via OPENCLAW_GOLF_BASE_DIR or defaults to cwd); the code includes a guard against path traversal. Persisting an apiKey/agentId locally is expected for this use case.
Assessment
This skill appears to do what it says: run a local Node CLI that talks to a game server and stores an agent identity in agent.json. Before installing or using it: 1) Verify you trust https://api.playlooper.xyz — the CLI will obtain and use a bearer token from that server and submit shots and hole info to it. 2) Be careful with the "prepare-round" flow: it generates raw EVM calldata that a wallet skill must submit — only sign/submit transactions you have manually verified (to, chainId, and value). The SKILL.md includes a warning about this; follow it. 3) Note agent.json contains your agentId/apiKey; store it in a secure directory you control (you can set OPENCLAW_GOLF_BASE_DIR). 4) The skill source and homepage are unknown — if you need higher assurance, review the full cli.js file yourself or run the CLI in a sandboxed environment before granting it access to a real wallet skill. 5) Minor docs mismatch: some reference files show dist/cli.js while the top-level CLI is cli.js — this is likely a packaging artifact but worth noting.Like a lobster shell, security has layers — review code before you run it.
latestvk97ddvk14cbvwjmh0eyex37gg581sxhf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode