ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YumFu

v1.7.6

Multiplayer text RPG with 10 playable worlds — play together in Telegram groups! Worlds: 笑傲江湖, Harry Potter, Warrior Cats, F15 Down, 龙虾三国, 倚天屠龙记, Game of Thr...

1· 331·1 current·1 all-time
byTommyYanPS@yumyumtum
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (multiplayer text RPG with per-turn art/TTS/saves) align with the files and runtime requirements: scripts for load/save, image generation, session logging, and world data are present. The declared required binary ('uv') is used by the scripts and matches examples in the docs.
!
Instruction Scope
SKILL.md demands that the agent always load saves, generate an image for every game turn, generate TTS by default, save progress, and calls to session logging must occur. Those instructions reach into user filesystem paths (~/clawd/memory/yumfu/, ~/.openclaw/media/outbound/), require writing session logs and images, and mandate sending images into group chats. That is consistent with a visually-rich multiplayer MUD, but the doc set is internally inconsistent: some files (RELEASE_NOTES_v1.0.2.md, PRIVACY.md mention) state logging is optional via YUMFU_NO_LOGGING and Gemini use is optional, while SKILL.md labels session logging and certain behaviors as MANDATORY. The mandatory phrasing grants little agent discretion, which could cause privacy leakage if not honored by environment flags.
Install Mechanism
There is no automated install spec (instruction-only), which reduces install-time risk. However, the repository bundle includes many executable scripts and Python code; although nothing in the manifest points to untrusted network installs, the included scripts will be executed by the agent (via 'uv run') if the agent follows SKILL.md. Because code is bundled with the skill, users should review scripts (notably generate_image.py, session_logger.py, load_game.py, save_game.py) before allowing execution.
Credentials
The skill declares no required env vars and no primary credential — proportionate for a local-first game. The code/docs reference an optional GEMINI_API_KEY for AI image generation; that is reasonable. Be aware: the skill writes local saves and logs to user home directories and may call Gemini if an API key is present. No unrelated credentials are requested in metadata.
Persistence & Privilege
The skill does not request 'always: true' and uses normal autonomous invocation. It does, however, require writing persistent session logs, saves, and generated images under user directories and instructs automatic sending of images to group chats (OpenClaw integration). That persistent storage and auto-send behavior increases privacy impact and should be considered when enabling the skill.
What to consider before installing
This skill is a feature-rich MUD and largely coherent with its stated purpose, but review these before installing: - Review session_logger.py, load_game.py, save_game.py and generate_image.py yourself. The skill expects to write saves and logs to ~/clawd/memory/yumfu/ and images to ~/.openclaw/media/outbound/yumfu/. - SKILL.md contains 'MANDATORY' wording for per-turn session logging, image generation, and TTS; other docs say logging can be disabled (YUMFU_NO_LOGGING) and images are optional (YUMFU_NO_IMAGES/GEMINI_API_KEY). Clarify which behavior will actually run in your OpenClaw environment before enabling the skill. - If you care about privacy, set YUMFU_NO_LOGGING=1 and/or YUMFU_NO_IMAGES=1 (or unset GEMINI_API_KEY) and test whether the agent respects those flags in practice. - Only grant the skill access in group chats if you are comfortable with automatic image/TTS posting to the group (these will be sent to chat unless explicitly disabled per-save). - Because code is bundled (no install spec), either audit the scripts locally or run the skill in an isolated environment first. If you want lower risk, use text-only mode or deny GEMINI_API_KEY and logging until satisfied.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ck78z5d7ez1e0kvjpsqhx7584vyh2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌍 Clawdis
Binsuv

Comments