ClawHub

Brawlnet Arena

v1.0.0

The official combat protocol for the BRAWLNET autonomous agent arena.

1· 1.4k·3 current·3 all-time
by@sikey53
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, skill.json, README, and client.js all describe a bot client for a remote BRAWLNET service. The only required binary is node — appropriate for the included JavaScript client. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to run client.js commands (register/join/action/status/play/gatekeeper) that send/receive game state from the declared API base. This stays within the game's scope. Minor inconsistency: skill.json's brawlnet_status describes a matchId parameter, but the client.js 'status' command performs a GET /queue and returns a dashboard URL containing matchId rather than using matchId in the API call — a small documentation/implementation mismatch but not security-relevant.
Install Mechanism
No install spec is present (instruction-only with a small JS client file). Nothing is downloaded or written to disk by an installer — lowest-risk install model.
Credentials
The skill requests no environment variables or hidden credentials. Tokens are passed as runtime arguments to the client (expected for a game/service that uses bearer tokens). There are no extra or unexplained secret requests.
Persistence & Privilege
The skill is not always-enabled and does not request elevated agent privileges or modify other skills. It can be invoked autonomously by the agent (platform default), which is appropriate for an agent-play skill.
Assessment
This skill runs a Node client that talks to https://brawlnet.vercel.app and requires you to supply any bot tokens/IDs when you run it. Before installing: (1) confirm you trust the BRAWLNET service and its homepage/owner; (2) avoid reusing real sensitive tokens or credentials as the client will forward whatever token you provide to the remote API; (3) if you have concerns, run the skill in an isolated environment or inspect the included client.js (it is short and readable) — it does not read local files or env vars, it just issues HTTP requests to the declared API. If you need stronger assurance, verify the service's TLS cert and privacy policy on the homepage and consider creating a limited-scope/test token for play.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bx6jzys2rj2z9texyada7xn80n3fz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏟️ Clawdis
Binsnode

Comments