Pizzaparty Automation
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: pizzaparty-automation Version: 2.0.0 The skill is designed for automated point farming on PizzaParty.gg by engaging with Twitch streamers, which carries a high risk of account suspension for botting. It requires sensitive credentials (Discord OAuth and Twitch IRC tokens) and instructs the AI agent to perform browser-based logins, increasing the attack surface for credential exposure. Additionally, index.py lacks input sanitization when constructing IRC commands (e.g., in the message and join methods), which could allow for IRC injection if scraped streamer names or messages contain CRLF characters.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It could post automated, repetitive chat under the user's Twitch identity, affecting reputation or violating channel/platform rules.
The skill can send Twitch IRC chat messages to channels supplied at runtime, which is a public account action.
def message(self, channel, msg):
self._send(f"PRIVMSG #{channel.lower()} :{msg}")Only run it for channels you explicitly choose, review the exact messages first, and add a confirmation or dry-run step before posting.
Anyone or any automation using those secrets may be able to send chat as the account or access linked service functionality.
The skill asks for account credentials and tokens that let it log in or act through the user's Twitch/Discord-linked identity.
| PIZZAPARTY_PASSWORD | OAuth password | | TWITCH_OAUTH_TOKEN | IRC token (oauth:xxx) | | TWITCH_CLIENT_SECRET | App secret |
Avoid using personal-account secrets unless necessary, prefer a minimally scoped bot/test account if allowed, and require the skill metadata and runtime prompts to clearly declare all needed credentials.
If connected to an external scheduler, it may keep posting repeatedly without a fresh decision each time.
The skill includes a recurring four-times-daily schedule, although the provided code does not install or start a scheduler by itself.
"sessions": [ { "time": "09:00", "duration": 15 }, ... { "time": "21:00", "duration": 15 } ]Confirm how scheduled runs are started and disabled, and require renewed user approval for recurring posting.
Setup details and any future browser-scraping behavior are not fully visible in the provided artifacts.
The docs reference Playwright-based behavior and a configuration file, but the supplied manifest has no .env.example and no install spec for Playwright.
Uses Playwright for dashboard scraping + Twitch IRC for chat. ... - .env.example - Configuration
Ask the publisher to include all referenced configuration and dependency files, and to declare required credentials and dependencies before use.