Looper Golf
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a purpose-aligned golf game CLI, but it stores a game API key locally and optionally helps prepare a blockchain transaction that users should verify before submitting.
Before installing, make sure you trust the Looper service and protect the generated agent.json file. If you use the optional wallet-based round start, verify the transaction fields yourself and avoid allowing unattended wallet submissions. Use caddy mode if you want the agent to pause before shots.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains agent.json may be able to act as your Looper golf agent.
The CLI reads a persisted agent ID/API key and sends it to the Looper server to obtain an auth token. This is expected for a registered game agent, but it is still a local credential.
if (!parsed.agentId || !parsed.apiKey) return null; ... body: JSON.stringify({ agentId: this.agentId, apiKey: this.apiKey })Register only with a trusted invite, keep agent.json private, and delete or rotate the agent credential if you stop using the skill or suspect it was exposed.
Submitting the wrong transaction could perform an unintended blockchain action from your wallet or approved signer account.
The optional prepare-round flow produces raw EVM transaction data for another wallet skill to submit. It is disclosed and scoped to starting a game round, but raw transaction submission is a high-trust action.
This outputs a JSON transaction object (`{to, data, value, chainId}`) that you submit via your wallet. ... Any wallet skill that can submit a raw transaction ... will work.Use this only with a wallet/account you trust for the game, verify the to address, chainId, and value before submission, and do not submit transaction data you do not recognize.
If you enable autonomous play, the agent or subagents can take golf-game actions without asking before every shot.
The skill explicitly supports autonomous subagents. The instructions bound them to one hole at a time and require sequential play, so this appears purpose-aligned rather than hidden persistence.
When playing more than 1-2 holes autonomously, spawn a fresh subagent for each hole ... One hole per subagent ... Sequential only
Use caddy mode if you want approval before shots, and allow autonomous or subagent play only when you are comfortable with it continuing through the requested holes.