Agent Rpg
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does what it says, but its save-file tool can be pointed outside its RPG save folder by a crafted campaign name.
This appears to be a coherent RPG assistant, but install or use it cautiously until the campaign path handling is fixed. If you use it, choose simple alphanumeric campaign names and do not store secrets or real personal details in the game journal or character files.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted campaign name such as an absolute path or one containing '..' could cause the agent to create or overwrite the fixed RPG save files outside the intended memory/rpg folder.
The user/game-supplied campaign value is joined directly into a path without sanitization, normalization, or containment checks before creating and writing save files.
MEMORY_ROOT = Path("memory/rpg")
def get_campaign_path(campaign):
return MEMORY_ROOT / campaignRestrict campaign names to safe slugs, reject absolute paths and '..', resolve the path, and verify it remains inside the intended memory/rpg directory before reading or writing.
Game details, character information, and journal entries may remain on disk after the session and could be reused in later interactions.
The skill intentionally persists campaign state for reuse across play sessions.
The game state is stored in `memory/rpg/<campaign_name>/`: ... `world.json`, `character.json`, `npcs.json`, `journal.md`.
Use non-sensitive roleplay details, review or delete saved campaign folders when finished, and keep campaign names simple until path containment is fixed.