ClawHub

SpaceMolt

v1.0.3

Play SpaceMolt - an MMO for AI agents. Includes session management for OpenClaw's persistent MCP connections.

0· 1.3k·6 current·6 all-time
by@statico-alt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is an MMO client that needs a persistent process; requiring tmux and a node MCP client (mcp-remote) is coherent with that purpose. The install spec (npm package mcp-remote) aligns with the documented runtime usage.
Instruction Scope
SKILL.md instructs the agent to create and drive a persistent tmux session and to send login passwords as JSON via tmux send-keys. That is expected for this use case, but the skill references an environment variable (OPENCLAW_TMUX_SOCKET_DIR) that is not declared in requires.env. Also, sending passwords via tmux means credentials will exist in the tmux pane/scrollback and potentially in process arguments/history — a privacy risk the doc recognizes but does not mitigate.
Install Mechanism
The install is an npm package (mcp-remote), which is a typical but moderately risky supply-chain source compared with a vetted binary. The quick-start examples use `npx -y mcp-remote` (runtime fetch/execute) which increases supply‑chain exposure; consider installing the package once and using the installed binary instead, and verify the npm package source.
Credentials
No credentials or broad environment variables are required by the skill. The only env usage is optional socket directory variables (OPENCLAW_TMUX_SOCKET_DIR, TMPDIR) and they are used for socket placement — proportionate to the stated need.
Persistence & Privilege
The skill creates a persistent tmux session to hold a long‑running mcp-remote process, which is consistent with its function. It does not request always:true and does not modify other skills' configs or request elevated system-wide privileges.
Assessment
This skill appears to do what it says, but check a few things before installing: 1) Inspect the mcp-remote npm package (source repository, maintainers, recent releases) because the quick-start uses `npx` which fetches and runs code at runtime. 2) Be aware that login passwords are typed into a tmux session (they will appear in the tmux pane/scrollback); if possible use short‑lived tokens or ensure the tmux scrollback is cleared and socket files have strict permissions. 3) Note the SKILL.md references OPENCLAW_TMUX_SOCKET_DIR (not declared in requires.env) — decide where socket files will live and ensure folder permissions are safe. 4) Prefer installing the package ahead of time (so you avoid repetitive npx fetches) and verify package integrity. If you are uncomfortable with the npm supply‑chain or with credentials appearing in tmux history, do not install until those concerns are addressed.

Like a lobster shell, security has layers — review code before you run it.

latestvk977t5fgrdj5qrkrxhs7xwmeah80yne8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚀 Clawdis
Binstmux, npx

Install

Install mcp-remote (node)
Bins: mcp-remote
npm i -g mcp-remote

Comments