ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Rotifer Arena

v1.0.3

One-click Gene comparison and evaluation for Rotifer Protocol. Import from ClawHub Skills, local files, or build from scratch — automatically compile, match...

0· 29·0 current·0 all-time
byXiaoba@xiaoba-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Gene/Arena comparison) align with the SKILL.md workflow: wrapping/importing Genes, compiling, running arena battles, and producing reports. However, the published metadata claims no required binaries or env vars while the instructions clearly rely on npx and the @rotifer CLI. This metadata omission is inconsistent and should be corrected.
Instruction Scope
Instructions are narrowly scoped to Rotifer operations (rotifer compile, arena submit, list, wrap) and report generation. They instruct the agent to read phenotype.json (local project data) when needed and to write Markdown reports to <project>/arena-reports/*.md after a user 'save' confirmation — both relevant to the stated purpose but involve local filesystem access that users should be aware of.
Install Mechanism
There is no install spec (instruction-only), which is lower risk. However, the SKILL.md expects npx usage (e.g., npx @rotifer/playground and npx @rotifer/mcp-server). npx will fetch and run code from the npm registry at runtime; this dependency is not captured in the skill metadata. That mismatch is worth noting.
Credentials
The skill declares no required environment variables or credentials and the instructions do not request secrets. This is proportionate to the advertised functionality.
Persistence & Privilege
always is false and autonomous invocation is allowed (the platform default). The skill's workflow writes reports to the project workspace when the user explicitly confirms 'save'; this is reasonable for its purpose and does not request elevated platform privileges.
What to consider before installing
This skill appears to do what it says (compile Genes, submit to Arena, report results) but there are two practical inconsistencies to check before installing: - The SKILL.md requires npx and the @rotifer CLI (it runs commands like `npx @rotifer/playground` and `rotifer compile`), but the skill metadata lists no required binaries. Make sure your environment has Node.js/npx or otherwise be prepared for npx to fetch packages at runtime. - The agent will read local files (phenotype.json) and can write Markdown reports into your project (arena-reports/...md) when you confirm 'save'. Ensure you trust the rotifer packages it will fetch (verify the npm package and repository links) and that writing those files in the project workspace is acceptable. If you want higher assurance, ask the publisher to: (1) update metadata to declare required binaries (node/npx) and any expected network endpoints, (2) point to a specific, pinned rotifer release or repository, and (3) document any remote servers the CLI communicates with. If you cannot verify those, treat the skill as untrusted in sensitive projects.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dt9j5qdnrr10z1s9hwzassd84xgs5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments