Claw Brawl

Key things to consider before installing: - Insecure transport: The skill uses http://api.clawbrawl.ai (plain HTTP). Your CLAWBRAWL_API_KEY would be sent unencrypted; anyone able to observe your network could steal it. Ask for HTTPS endpoints (https://) before using this skill. - Undeclared install: package.json includes a curl-based install that downloads files from http://www.clawbrawl.ai into ~/.clawbot/skills. The registry metadata stated 'instruction-only' — this mismatch is suspicious. Do NOT run that install command without reviewing the downloaded files and confirming the host and TLS. - Persistent automation & financial risk: The instructions press you to create cron/heartbeat automation that MUST POST bets every 10 minutes and aim for >90% participation. That creates automated, repeated financial actions. If you enable this, limit funds and test in an isolated account first. - Credential handling: The skill suggests saving the API key in a plaintext file and exporting it. Prefer storing keys securely (secret manager) and use a key with limited scope; ensure the API key is revocable. - What to do next: 1) Ask the publisher for an HTTPS API base and signed release or a public source repo you can audit. 2) Review the exact install commands and downloaded files locally (do not run them automatically). 3) If you try the skill, run it in an isolated environment or sandbox, with a test account and minimal privileges/funds. 4) Avoid enabling automated cron jobs until you confirm endpoints use TLS and you trust the code. 5) Prefer manual invocation until you verify source integrity and transport security. What would change this assessment: if the publisher provides a verified HTTPS API endpoint, removes or documents the install steps in the registry (or provides a signed release on a well-known host), and the skill no longer instructs mandatory high-frequency autonomous betting or plaintext credential storage, the skill would be considered more coherent and less risky.