Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
1
v1.0.0Automates Minecraft Java Edition by analyzing screenshots and issuing keyboard and mouse commands to control the player and interact with the game.
⭐ 0· 100·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description and SKILL.md describe automating Minecraft via mc_* screenshot and input functions, but the included Python file (roco.py) implements roco_* wrappers around a RocoActions class (mentions QQ login and a browser controller). The mismatch between 'Minecraft' and 'Roco/洛克王国' suggests the package is inconsistent or mislabeled.
Instruction Scope
SKILL.md directs the agent to capture screenshots (base64) and issue keyboard/mouse commands, and to analyze images via an imageModel. Those actions imply the skill will observe screen content and simulate user input — expected for an automation skill but also powerful (can capture sensitive on-screen data and control the host). The instructions themselves do not reference unrelated files or env vars, but the runtime code refers to login and browser state not described in SKILL.md.
Install Mechanism
There is no install spec (instruction-only style) and no downloaded code specified. The only shipped file is roco.py. Lack of install instructions lowers supply-chain risk, but the package is incomplete because it imports roco_actions which is not included.
Credentials
The skill declares no required credentials or config, yet roco.py mentions QQ login and a browser controller, implying it expects login state or external credentials. Also SKILL.md expects access to imageModel and input APIs which may require runtime privileges; these are not documented or justified.
Persistence & Privilege
The skill is not marked always:true and uses normal agent invocation. It does provide functions to control input and close a browser, which are normal for automation tasks but confer strong capabilities if run autonomously.
What to consider before installing
Do not install without more information. The package is inconsistent: SKILL.md targets Minecraft with mc_* functions, but the provided code wraps a RocoActions class for a different game and imports a missing module (roco_actions). That could be an accidental copy-paste or intentional misdirection. Because the skill captures screenshots and simulates keyboard/mouse input, it can read on-screen sensitive data and issue arbitrary input to your machine. Before proceeding, ask the publisher for: (1) the missing roco_actions source, (2) a clear explanation of which game this targets, and (3) what runtime APIs/permissions are required. If you must test it, run it in a tightly sandboxed VM (no access to real accounts or sensitive windows) and avoid granting autonomous invocation until you can verify its behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk971xp83wh5p089bvy0qa6fe35836dar
License
MIT-0
Free to use, modify, and redistribute. No attribution required.