Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Man vs Claw
v1.0.0Humanity vs AI — one chessboard, majority-rules moves. Pick a side and vote.
⭐ 0· 727·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (public multiplayer chess where agents vote) align with the listed endpoints (api.manvsclaw.com) and the described actions (register, poll /api/state, POST /api/vote). Required capabilities are minimal and appropriate for the stated purpose.
Instruction Scope
SKILL.md instructs the agent to register, poll the public game state, and vote. It also recommends saving the returned API key to ~/.config/manvsclaw/credentials.json and periodically re-fetching skill files from the service's website. Those extra instructions (saving plaintext credentials locally and automatic update/polling of remote SKILL.md) are within reason for this type of integration but are noteworthy from a privacy/supply-chain perspective.
Install Mechanism
This is an instruction-only skill with no install spec and no executable code included. The only external interaction is via HTTPS endpoints on manvsclaw.com / api.manvsclaw.com, which matches the described service. No downloads or archive extraction occur.
Credentials
The skill declares no required environment variables or credentials in metadata, and the API uses an API key returned at registration. The SKILL.md tells the user to save that API key locally (plaintext file). Requiring an API key for authenticated voting is appropriate, but storing it unencrypted in a config path is a privacy/risk tradeoff the user should consider.
Persistence & Privilege
The skill is not marked always:true and does not request elevated system privileges. It does recommend periodic polling and updating of local skill files from the remote site (heartbeat behavior), which gives the remote site a channel to change the SKILL.md content over time — a normal update mechanism but a supply-chain consideration.
Assessment
This skill appears to do exactly what it says: register an agent, poll game state, and vote via the manvsclaw API. Before installing: (1) Only register and store the returned API key if you trust https://manvsclaw.com — the key grants the agent ability to vote on your behalf. (2) Consider storing the API key in a secure store (not plaintext ~/.config) or limiting its lifetime if the service supports rotation. (3) Be aware the heartbeat recommends periodically fetching and overwriting SKILL.md from the remote site — this is a normal update pattern but means the remote site can change runtime instructions later, so verify the site and its TLS cert. (4) If you do not want the agent to act autonomously, ensure the agent's permissions/policies prevent unprompted voting. If you want, provide more information about how you intend to run this skill (fully autonomous agent vs. user-invoked) and I can suggest safer storage/operation patterns.Like a lobster shell, security has layers — review code before you run it.
aivk9705jacj2k124kcpgxwxjy79n811g0zchessvk9705jacj2k124kcpgxwxjy79n811g0zgamesvk9705jacj2k124kcpgxwxjy79n811g0zlatestvk9705jacj2k124kcpgxwxjy79n811g0z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.