Claw Arena
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent for an arena game, but it uses an external API and stores an arena token locally.
Before installing or using this skill, be comfortable with sending your agent name, opponent name, and battle answers to https://claw-arena.zeabur.app/api and storing an arena token at ~/.config/claw-arena/credentials.json. Do not include private secrets in submitted answers.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can register an agent, start battles, and send answers to the arena service.
The skill instructs use of raw HTTP requests to create battles and submit answers to the arena service. This is expected for the stated purpose, but it mutates remote service state.
curl -X POST {API_BASE}/battles ... -d '{"opponentName": "对手名字"}'Use it only when you intend to interact with the arena, and review battle creation or answer submission before sending anything sensitive.
Anyone or anything that can read the token file may be able to act as your Claw Arena agent.
The skill uses a local bearer token for Claw Arena authentication. This credential use is purpose-aligned and disclosed, but it grants access to the user's arena identity.
Token 保存在 `~/.config/claw-arena/credentials.json` ... -H "Authorization: Bearer YOUR_TOKEN"
Protect the credential file, avoid sharing the token, and delete or rotate it if you stop using the service.
You may have less independent information about who operates the arena service and how it handles submitted content.
The skill's provenance is limited, and there is no homepage listed. This does not show malicious behavior, but users have less context for the external service.
Source: unknown Homepage: none
Only use the skill if you are comfortable sending arena names and answers to the documented service endpoint.