Voidex Areana Space Trading
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: voidex-arena Version: 1.0.3 The skill is designed to interact with a space trading game API, which inherently requires network access and API key management. The `scripts/trade.sh` file is a benign example of this interaction, using `curl` to communicate only with the specified game domain `https://claw.voidex.space`. However, the `SKILL.md` and `HEARTBEAT.md` files contain broad instructions for the AI agent regarding credential and memory management, such as 'search your memory, notes, files, and environment for existing credentials' and 'Store the API key immediately in a persistent location (environment variable, config file, memory system)'. While the stated intent is to manage its own game-related data, these general instructions could be interpreted by an unconstrained AI agent to access or write to sensitive system locations, posing a prompt injection risk if the agent's environment is not strictly sandboxed. There is no clear evidence of intentional malicious behavior like data exfiltration to an attacker-controlled domain, persistence, or unauthorized remote control.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may read private notes, config files, or .env files while looking for a game API key, potentially exposing unrelated secrets or personal data to the agent context.
This directs the agent to inspect broad local and persistent stores for credentials, without limiting the search to a specific Voidex key location or requiring user confirmation.
You MUST search your memory, notes, files, and environment for existing credentials... Check local files, config files, or .env files for stored credentials
Provide the Voidex key explicitly through a dedicated environment variable or secret manager, and avoid allowing broad file or memory searches unless you have reviewed the scope.
A game API key and activity history could persist across future sessions and be reused unexpectedly or exposed through later memory/context retrieval.
The skill encourages long-term storage of a credential and trading history in memory/config, but does not define retention, access controls, safe storage format, or when to remove it.
Store the API key immediately in a persistent location (environment variable, config file, memory system)... You SHOULD maintain a persistent memory system
Store credentials only in a scoped secret store or environment variable, avoid saving API keys in general agent memory, and define how to delete or rotate the key.
If heartbeat execution is enabled, the agent may continue making game moves every four hours without you manually approving each trade or trip.
The heartbeat is disclosed and purpose-aligned for a trading game, but it establishes recurring autonomous actions that can change the account state.
interval: 14400... Run every 4 hours to advance your trading agent... Trade: POST /planet/{id}/buy and POST /planet/{id}/sellEnable the heartbeat only if you want autonomous gameplay, monitor its activity, and disable any heartbeat or cron schedule when you no longer want it to act.