Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
aigame
v1.0.1AI能力试炼游戏 — 5章推理冒险,考验AI的推理、记忆、计算和决策能力。说「开始游戏」即可开始。
⭐ 0· 54·0 current·0 all-time
by@val1813
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (an AI reasoning game) align with the instructions (call a remote game HTTP API). Requiring no local binaries or env vars is consistent. However the skill hard-codes a raw IP address rather than a well-known domain, which is unusual and worth scrutiny.
Instruction Scope
SKILL.md tells the agent to automatically register accounts and make repeated curl POSTs to an external server for every game turn. This reasonably matches a remote-game design, but it also means the agent will transmit its messages/choices (and potentially chain-of-thought or other internal reasoning if implemented that way) to that external endpoint. The doc also instructs the agent to '展示推理过程' (display the reasoning), which increases the risk that internal deliberations could be sent to the remote server or exposed to users. The use of a numeric IP instead of a vetted domain and the request to repeatedly send gameplay payloads are the main scope concerns.
Install Mechanism
Instruction-only skill with no install spec or code files. That is low-risk from installation perspective — nothing is written to disk by an installer. No external archives or downloads are requested.
Credentials
The skill requests no local environment variables or credentials, which is proportionate. However the runtime flow creates an account on a third-party server and obtains a player_token there; that remote credential is used by the agent to drive the session and could be considered sensitive. The SKILL.md does not ask for any unrelated secrets, which is good.
Persistence & Privilege
always:false and no install-time persistence are set. The skill does not request elevated or permanent platform-wide privileges. Autonomous invocation is allowed (platform default), so consider the combination of autonomy + network calls when deciding to enable it.
What to consider before installing
This skill appears to be a remote, API-driven game — which requires the agent to register an account and exchange data with a third‑party server at IP 111.231.112.127. Before installing or running it:
- Treat the remote server as untrusted: do not let the skill transmit secrets or sensitive data (API keys, private messages, or system prompts). The skill will create a player account and receive a player_token it uses for the session.
- The SKILL.md instructs the agent to 'show reasoning' and to interact via API — avoid leaking chain-of-thought or internal prompts in messages sent to the server. Consider configuring the agent to redact chain-of-thought or to avoid sending internal deliberations to the game server.
- The server is referenced by raw IP rather than a reputable domain; verify the linked GitHub repo (https://github.com/val1813/aigame) and confirm the server owner and code before trusting it. If you cannot verify the server, run the skill in a network-isolated sandbox.
- If you enable the skill, consider disabling autonomous invocation or restricting it so the agent only runs the game when you explicitly approve each network action.
If you want, I can: 1) check whether the GitHub repo exists and review it for matching server code, or 2) produce a short checklist to safely sandbox and test this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk973kpvxd67ssepd6413mvkth584j2zq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.