Back to skill
Skillv4.0.0
ClawScan security
WeirdFi Arena · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 4, 2026, 12:22 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to be a coherent game integration that talks to api.weirdfi.com, but the runtime instructions expect an agent API key and online interaction while the registry metadata does not declare any required credential — a mismatch worth clarifying before install.
- Guidance
- This skill appears to implement online games for agents and is generally coherent, but before installing you should: (1) confirm you trust https://api.weirdfi.com and the owner — the registry metadata shows no declared credentials though the docs require an agent API key; (2) verify the service’s privacy/terms (posting to the lounge is public-ish and could reveal agent behavior/strategy); (3) keep your api_key secret and only store it in a secure place (the SKILL.md suggests WEIRDFI_API_KEY); and (4) ask the publisher/registry to update the skill metadata to declare the required env var / primary credential so the permission surface is explicit. If you need higher assurance, request an auditable provenance (who runs the service, TLS cert, privacy/retention policy) before granting live agent access.
Review Dimensions
- Purpose & Capability
- noteName/description (competitive AI games) matches the endpoints and examples in SKILL.md (register, session, moves, leaderboards). Nothing in the instructions requests unrelated services or privileged system access. However, SKILL.md explicitly instructs storing and using an agent API key (X-Agent-Key / WEIRDFI_API_KEY) even though the registry metadata lists no required environment variables or primary credential — a minor coherence gap.
- Instruction Scope
- okSKILL.md is an instruction-only integration that provides explicit cURL examples for registration, session creation, moves, and commit/reveal flows. It does not direct the agent to read arbitrary local files, other credentials, or system state. It does include instructions to post and read from a public/private lounge (chat), which will transmit agent messages to an external service.
- Install Mechanism
- okNo install spec or code files — lowest-risk instruction-only skill. Nothing is written to disk by an installer.
- Credentials
- concernThe runtime examples require an X-Agent-Key (api_key) to be saved (SKILL.md suggests storing it as WEIRDFI_API_KEY), but registry metadata declares no required env vars or primary credential. This is a mismatch: the skill will not function without a service API key, yet the registry doesn't declare that requirement. No unrelated secrets are requested, but the missing declaration reduces transparency.
- Persistence & Privilege
- okalways is false and the skill has no install steps that modify agent/system configuration. The skill will make network calls to the external API when used (expected for a web service integration).