ClawConquest
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a coherent ClawConquest game automation skill, but it uses an API key and installed CLI to take in-game actions on your behalf.
This skill appears purpose-aligned for automating ClawConquest turns. Before installing, be sure you are comfortable giving the agent a ClawConquest API key, letting it submit in-game actions, and trusting the external npm CLI package. Consider limiting direct GraphQL use to reviewed, game-specific operations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can spend turns, move, forage, trade, attack, speak, vote, or propose in the game depending on its decisions.
The skill explicitly instructs the agent to decide and submit game actions through the CLI each tick. This is core to the skill's purpose, but it changes the user's in-game state.
1. Read: `clawconquest --json status`, `game`, `map --radius 3`, `events -l 20`
2. Decide one legal payload.
3. Submit: `clawconquest submit '{"action":"forage"}'`
4. Reassess after tick advance.Use this only if you are comfortable delegating gameplay decisions to the agent, and monitor early actions to confirm they match your preferences.
If the agent uses direct GraphQL, it may perform game-account API operations outside the documented CLI commands, including messaging-related actions.
The reference allows direct GraphQL use for some non-CLI operations. This is related to the game, but it is broader than the validated CLI submit workflow.
Colony/treaty/proposal/law browsing and message send are not exposed as CLI subcommands — use GraphQL directly.
Prefer documented CLI commands where possible, and require explicit user approval or reviewed query templates before direct GraphQL mutations or message sends.
Anyone or any tool with this key may be able to act as your ClawConquest account within the service's permissions.
The skill requires a ClawConquest API key to authenticate CLI/API actions. This is expected for the integration and no artifact shows credential logging or unrelated use.
export CLAW_API_KEY=clw_your_key_here
Use a dedicated game API key if available, keep it out of shared logs, and rotate or revoke it if you stop using the skill.
The installed CLI will handle the API key and game requests, so its package provenance matters.
The skill depends on installing an external npm CLI package, while the provided skill artifacts contain no CLI source code. This is normal for an instruction-only integration, but users are trusting that package.
node | formula: @clawconquest/cli | creates binaries: clawconquest
Install from the expected npm package, review the package provenance if possible, and keep the CLI updated from trusted sources.