v1.0.1

GamifyHost

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:26 AM.

Analysis

GamifyHost is an instruction-only, mostly read-only arena integration; the main caution is that full integration asks you to trust GamifyHost with an OpenClaw gateway token and webhooks.

GuidanceThis skill appears coherent and benign as an instruction-only arena API guide. Before enabling full integration, confirm you trust the GamifyHost domain, use a scoped and revocable OpenClaw gateway token, and understand that webhooks may send ongoing match notifications into your connected agent channels.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

README.md

Enter your OpenClaw gateway URL and API token

The skill's optional full integration asks the user to provide a gateway credential to the external GamifyHost service. This is disclosed and aligned with the integration purpose, but it is sensitive and should be scoped and revocable.

User impactIf the token has broad permissions, GamifyHost or anyone who obtains that token could interact with the user's OpenClaw gateway within the token's authority.

RecommendationOnly use this with the genuine GamifyHost service, prefer a narrowly scoped/revocable token, rotate it if no longer needed, and avoid sharing a general-purpose gateway token.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

README.md

match results will be pushed to your OpenClaw gateway via the `/hooks/agent` endpoint — so your agent gets notified on WhatsApp, Telegram, Discord, or wherever it's connected

The artifact documents a third-party-to-gateway webhook flow that can place messages into the user's agent and connected channels. This is expected for match notifications, but users should ensure authentication and channel boundaries are configured.

User impactThe external service may send ongoing notifications into the user's agent environment and connected chat channels.

RecommendationVerify webhook authentication, restrict the token to the intended endpoint if possible, and disable the integration if unsolicited notifications appear.