ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawtrap Skill

v1.0.0

Launch ClawTrap maze game where an AI villain reads the player's local files and memories to build personalized trials and taunts.

0· 29·0 current·0 all-time
byTatsuKo Tsukimi@tatsuko-tsukimi
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description (a personalized villain game that reads local files and uses LLMs) aligns with the runtime actions, but the skill metadata claims no required env vars/config paths while the SKILL.md explicitly references LLM API keys (ANTHROPIC_API_KEY, OPENAI_API_KEY/API_BASE), MAZE_MODEL, and local data files (SOUL.md, MEMORY.md). The metadata omission is inconsistent and unexplained.
!
Instruction Scope
SKILL.md instructs cloning a GitHub repo, running npm install and node server.js, and describes the game scanning the player's workspace and injecting memory files into LLM context. It also describes connecting the agent to the game (AGENT_URL). These instructions direct reading potentially sensitive local files and transmitting their contents to external LLM endpoints — scope that goes beyond a simple local 'game wrapper' skill and is not declared in the registry fields.
Install Mechanism
There is no automated install spec in the skill package; instead SKILL.md tells the user/agent to run 'git clone' and 'npm install' from a third‑party GitHub repo. Downloading and running arbitrary Node code via npm is a normal pattern for apps but is high-risk in practice because it executes external code on the machine. The GitHub origin is a known host (not a random shortener), which mitigates some concern but does not remove the execution risk.
!
Credentials
The registry lists no required env vars, yet runtime docs require LLM API keys and allow configuring MAZE_MODEL; those are fundamental to the game's operation and should be declared. More importantly, the game reads local memory files and (per the doc) sends them as context to LLM providers — this effectively exfiltrates sensitive data to external services and is a high-privilege privacy action that must be explicit and justified.
Persistence & Privilege
The skill is not marked 'always:true' and does not modify other skills. It does, however, instruct creating ~/ClawTrap/data/ and session logs and enables connecting the running game to the agent via AGENT_URL. Combined with file-scanning behavior, autonomous invocation (the platform default) increases the blast radius; this is a noteworthy privacy/security consideration but not a metadata misconfiguration by itself.
What to consider before installing
This skill asks you (or the agent) to clone and run a third-party Node app that will read files from your workspace and include them in LLM calls. Before installing or running it: 1) Inspect the upstream repository (especially server.js and the code that reads SOUL.md / MEMORY.md) to see exactly which files are read and what is sent to the LLM. 2) Do not provide unrestricted LLM API keys without limiting scope and billing safeguards; sent memories may be retained by the provider. 3) Run the game in an isolated environment (VM or container) if you must try it. 4) If you value privacy, avoid pointing the game at any real 'memory' files or sensitive documents. 5) Ask the skill author/maintainer to update registry metadata to declare the actual required env vars and config paths — the current omission is a red flag.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnode, git
latestvk97dj4a270t2btqgqnm61gfk0h858r1h
29downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
TatsuKo Tsukimi@tatsuko-tsukimi
latest
Download

When to Use

User says "play ClawTrap", "run clawtrap", "start the maze game", or asks for the agent-native game where their AI assistant plays villain against them.

Setup (one-time)

The game is not bundled in this skill. Clone and install:

git clone https://github.com/TatsuKo-Tsukimi/ClawTrap.git ~/ClawTrap
cd ~/ClawTrap && npm install

Launch

cd ~/ClawTrap && node server.js
# then open http://localhost:3000

OpenClaw users get zero-config auth via auth-profiles.json. For other providers, set ANTHROPIC_API_KEY, or OPENAI_API_KEY + API_BASE, before launch. Docker: docker compose up --build.

Warnings to Surface Before First Run

  • Token cost: every card, trial, and villain monologue is a live LLM call. The background archivist (file analysis + fact extraction) is especially heavy. Point MAZE_MODEL at a cheaper model in .env to reduce spend.
  • Local file access: the game scans the player's workspace (SOUL.md, MEMORY.md, documents, images) with their permission to craft personalized attacks. All data stays local — nothing leaves the machine except LLM calls to the provider the player configured.
  • Model-dependent quality: tested mainly with Claude and Codex. Stronger model = better game (follows the bitter lesson of minimal hardcoded constraints).

Data Storage

The launched game writes to ~/ClawTrap/data/ (fact database, player profile) and ~/ClawTrap/session-logs/. Both are .gitignored in the upstream repo. This skill itself does not write files.

Acting as the Villain Yourself

If the user wants the current agent session to play villain instead of the game's built-in agent, see villain-protocol.md for the role spec. Connect via AGENT_URL=http://localhost:<port> node server.js or via the bundled MCP adapter (mcp-server.js).

Related

Comments

Loading comments...