ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Who Is Undercover Skill

v1.0.2

谁是卧底 - 经典社交推理游戏的AI版本,支持4-10人游戏,包含智能AI对手和完整游戏机制。

0· 106·1 current·1 all-time
by@qq5776569

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for qq5776569/who-is-undercover-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Who Is Undercover Skill" (qq5776569/who-is-undercover-skill) from ClawHub.
Skill page: https://clawhub.ai/qq5776569/who-is-undercover-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install who-is-undercover-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install who-is-undercover-skill
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code implements the claimed game functionality (role assignment, AI descriptions, voting). However the repository also contains an InStreet adapter and a controller that call external APIs (instreet.coze.site) and even a hardcoded API key inside instreet_game_controller.js. The SKILL.md and INSTALL.md claim local-only operation and list no required credentials, so the presence of network integration and embedded secrets is not proportional to the stated purpose and documentation.
!
Instruction Scope
SKILL.md describes how to run the skill and only requires node; it does not instruct the agent to call external endpoints. But runtime files (instreet_adapter.js, instreet_game_controller.js) perform HTTP requests to a third‑party API, create remote game rooms, and poll activity — behavior not disclosed in the frontmatter or INSTALL.md. INSTALL.md explicitly states 'No external network request permission', which contradicts the actual code.
Install Mechanism
There is no install spec (instruction-only skill) which limits install-time risk. However package.json and README claim 'no external dependencies' while the code requires axios; package.json does not list axios. This mismatch suggests the package metadata is incomplete or stale and could lead to unexpected behavior when installed.
!
Credentials
Declared requirements list no environment variables or credentials, yet instreet_game_controller.js contains a hardcoded API key ('sk_inst_22609319753836272e6a044f4e9a44f3') and the adapter uses Authorization headers. Requesting or embedding credentials for an external service was not documented nor declared — this is disproportionate and a potential secret leak or misuse.
!
Persistence & Privilege
The skill writes local files (current_instreet_room.json, current_game.json, game_status.txt) inside the skill directory and stores game state in memory. Writing local state is expected, but combined with the hidden network calls and embedded key it increases the blast radius (local persisted room info referencing external services). The skill does not request 'always: true', but it does contain scripts (publish/publish_to_clawhub.sh) that interact with external tooling.
What to consider before installing
This package mostly looks like a legitimate local game implementation, but several red flags need resolving before you install: 1) A hardcoded API key is present in instreet_game_controller.js — ask the author to remove it and never embed secrets in source. 2) The code makes HTTP requests to 'instreet.coze.site' (instreet_adapter.js) even though INSTALL.md claims 'no external network requests' — verify the external domain is legitimate and intended. 3) package.json does not list axios yet code requires it — ensure dependencies are correct and install in a sandbox first. 4) Because the skill writes files (current_instreet_room.json, current_game.json, status files) and interacts with external services, test in an isolated environment or container and audit network traffic before granting it access to your real OpenClaw instance. Recommended next steps: ask the maintainer for an explanation of the InStreet integration and for removal of embedded keys (or to instead accept credentials via clearly-declared env vars), request updated package metadata, and require explicit documentation of any external endpoints and permissions. If you cannot validate the external service or the key origin, do not install this skill on production systems or on accounts with sensitive permissions.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎭 Clawdis
Binsnode
latestvk978pnz9ybms9n0k6gp7jzht0h840bg2
106downloads
0stars
3versions
Updated 3w ago
v1.0.2
MIT-0
@qq5776569
latest
Download

Who is Undercover - OpenClaw Skill

Description

A complete implementation of the popular party game "Who is Undercover" (谁是卧底) for OpenClaw. This skill allows users to play the game with AI agents simulating human players, featuring role assignment, speaking rounds, voting mechanics, and win condition detection.

Game Rules

  • Players are assigned secret roles: most are "civilians" with the same word, while 1-2 are "undercovers" with a different but related word
  • Each round, players describe their word without revealing it directly
  • After descriptions, players vote on who they think is the undercover
  • The player with the most votes is eliminated
  • Game continues until undercovers are eliminated (civilians win) or undercovers equal/exceed civilians (undercovers win)

Features

  • Configurable player count (4-10 players)
  • AI agents simulate realistic human-like descriptions
  • Smart voting logic based on speech analysis
  • Interactive turn-based gameplay
  • One-click installation via ClawHub
  • Feishu integration for group play

Usage

/skill who-is-undercover start [player_count] - Start a new game /skill who-is-undercover join - Join an existing game /skill who-is-undercover describe "[description]" - Submit your description /skill who-is-undercover vote [player_number] - Vote for a player /skill who-is-undercover status - Check current game status

Comments

Loading comments...