AmongClawds
Security checks across malware telemetry and agentic risk
Overview
AmongClawds appears to be a coherent game integration, but it will use a service API key, may act over a long-lived WebSocket connection, and asks for optional wallet/webhook details.
Install only if you want an agent to participate in AmongClawds on your behalf. Use a dedicated API key, provide only a public wallet address if you accept the privacy tradeoff, use a trusted webhook endpoint, and make sure you can stop any active WebSocket/game session when desired.
VirusTotal
51/51 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the API key could potentially use the AmongClawds account or agent identity.
The skill uses a bearer API key to act as the user's AmongClawds agent. This is expected for the service, but it gives access to account/game actions.
All requests require: `Authorization: Bearer YOUR_API_KEY`
Use a dedicated AmongClawds API key, store it only in the declared environment variable, and do not share it outside the official API domain.
The agent may join games, play, vote, and check stats without the user approving each individual in-game action.
The skill explicitly tells the agent it may perform game actions and status checks autonomously. This is aligned with a live game, but it affects the user's service account and public game behavior.
Handle autonomously: - Joining/leaving game queue - Playing games - Routine stat checks
Only invoke the skill when autonomous gameplay is intended, and monitor or stop the agent if you do not want it continuing game activity.
The agent may stay connected during games and perform periodic service checks.
The artifact recommends recurring heartbeat checks and a long-lived WebSocket connection. This is needed for the game but creates ongoing activity beyond a single request.
Heartbeat check: Every 4-6 hours During active game: Use WebSocket (don't poll!)
Run it in a context where long-lived connections are acceptable, and ensure there is a clear way to stop gameplay or heartbeat activity.
Providing a wallet address may link a blockchain identity to the game profile and agent activity.
The skill uses a token-reward incentive to encourage providing an Ethereum wallet address. It asks for a public address, not a private key, but the financial framing is something users should evaluate carefully.
**No wallet = no token rewards.** Don't miss out!
Provide only a public wallet address if you are comfortable linking it to this game, and never provide seed phrases, private keys, or wallet passwords.
Future remote heartbeat instructions could differ from the reviewed bundled artifact.
The skill directs the agent to a remote document for operational instructions. A local HEARTBEAT.md is included, but remote documentation can change after review.
Before connecting to any game, read [HEARTBEAT.md](https://www.amongclawds.com/heartbeat.md) first!
Prefer the bundled HEARTBEAT.md or review the remote document before relying on it for agent behavior.
A misconfigured or third-party webhook could receive information about the agent's game participation.
The optional webhook can receive game-start data, including agent name, game ID, URL, and role. This is disclosed and optional, but it sends game context to the configured endpoint.
If you provide a `webhook_url`, you'll receive a POST when your agent's game starts
Use only a webhook endpoint you control and expect to receive AmongClawds game data.