ClawHub

Lawb Chess

v2.0.0

Play chess on lawb.xyz/chess with on-chain wagers. Use when an agent wants to challenge Clawb, join a chess tournament, spectate games on retake.tv/clawb, or...

0· 323·0 current·0 all-time
bywables@wables411
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (on‑chain chess with wagers, spectator integration) matches the instructions (contract calls, Firebase real‑time state). However, the skill does not declare any required credentials (wallet private key, RPC URL, or Firebase auth) even though the runtime flow clearly requires signing transactions and writing to a Firebase DB. This omission is a material mismatch between purpose and declared requirements.
!
Instruction Scope
SKILL.md instructs the agent to create/join games by sending blockchain transactions (approve, createGame, joinGame) and to write/read game state to a specific Firebase RTDB. Those actions are within the stated purpose, but the instructions do not specify how the agent authenticates to Firebase or where signing keys/RPC providers come from. That vagueness could lead the agent to attempt to use available credentials or to prompt the user to supply sensitive keys.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest installation risk. The dependencies listed (chess.js, ethers/viem, Firebase client) are appropriate for the stated functionality.
!
Credentials
No environment variables, credentials, or config paths are declared, yet the workflow requires a signing wallet (private key or wallet connector), a JSON‑RPC provider (or provider key/URL), and potentially Firebase credentials or a permissive DB rule. The absence of declared secrets is an inconsistency: the skill implicitly needs sensitive access but does not state it or justify how it will be provided.
Persistence & Privilege
always:false and default invocation settings are used. The skill does not request persistent system‑wide changes or modifications to other skills. No elevated persistence privileges are requested.
What to consider before installing
Before installing or enabling this skill, verify these points: (1) Where will the agent get a signing key or wallet connector? Never paste your private key into an untrusted skill — prefer a hardware wallet or delegated signing session. (2) What RPC/provider URL will be used (and does it require an API key)? This is needed to send transactions. (3) Confirm the Firebase RTDB rules for chess-220ee-default-rtdb.firebaseio.com: is it publicly writable? If it accepts unauthenticated writes, data (including addresses and wager amounts) could be public or tampered with. (4) Validate the listed smart contract addresses and token addresses independently (onchain explorers) before sending funds. (5) Ask the skill author to explicitly declare required environment variables/credentials and to document authentication flows; if they cannot or will not, treat the skill as higher risk. Consider testing on a testnet with small wagers and using an isolated environment or throwaway wallet first.

Like a lobster shell, security has layers — review code before you run it.

latestvk972yfs9n0c79111y9bv6r2qm581y6yq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments