ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Yumfu

v1.5.3

Multiplayer text RPG with 8 playable worlds — play together in Telegram groups! Worlds: 笑傲江湖, Harry Potter, Warrior Cats, F15 Down, 龙虾三国, 倚天屠龙记, Game of Thro...

1· 158·1 current·1 all-time
byTommyYanPS@yumyumtum
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code (save/load, image generation, session logging, multi-world data). The declared requirement (uv) is reasonable for the provided scripts. However, the skill's metadata declares no required config paths or env vars while the runtime docs and code reference specific user paths (~/clawd/memory/yumfu/..., ~/.openclaw/media/outbound/yumfu/) and optional GEMINI_API_KEY for image generation — this mismatch between declared metadata and the actual filesystem/env usage is inconsistent and should be resolved.
!
Instruction Scope
SKILL.md instructs the agent to always use the skill for any game-like user input and to: load save files, generate images, save progress, and append session logs on every turn. That requires read/write access to local save and session directories and sending media captions to chat targets. The documentation contains contradictory statements: SKILL.md calls session logging 'MANDATORY', while release notes and PRIVACY.md state logging can be disabled with YUMFU_NO_LOGGING. Because the runtime instructions mandate automatic logging and filesystem access, users should verify the actual behavior of scripts (scripts/session_logger.py, save/load) and whether logging can truly be disabled at runtime.
Install Mechanism
No external install/download spec is present (instruction-only install), which is lower risk. The bundle includes Python scripts; they rely on the 'uv' binary (declared). There are no downloads from third-party URLs or archive extraction steps in the registry metadata. Still, bundled scripts will be written to disk as part of the skill (present in the package), so review their content before execution.
Credentials
The skill declares no required environment variables, but many docs reference optional GEMINI_API_KEY (for AI art) and runtime envs like YUMFU_NO_IMAGES and YUMFU_NO_LOGGING. The registry metadata should declare these optional envs; their absence is an inconsistency. No unrelated secret credentials are requested, which is good, but the logging and image-generation features may cause data to be sent to Google Gemini if a key is provided — verify the code paths that call external APIs.
Persistence & Privilege
The skill does not set always:true and does not request system-wide privileges, which is appropriate. However, it requires persistent presence in the sense of reading/writing saves and session logs under user home paths. Autonomous invocation (default allowed) combined with mandatory-per-turn logging (per SKILL.md) raises privacy concerns if logging cannot be disabled. This is not by itself an elevated privilege, but combined with the instruction-scope issues it is noteworthy.
What to consider before installing
This skill mostly does what it says (save/load, image gen, session logging), but there are a few mismatches you should check before installing: - Inspect scripts/session_logger.py, scripts/load_game.py and scripts/save_game.py to confirm exactly what they read/write and whether logging truly respects YUMFU_NO_LOGGING. The SKILL.md claims logging is mandatory; RELEASE_NOTES claims you can disable it — verify which is authoritative. - If you do not want images sent to external services, do not set GEMINI_API_KEY and set YUMFU_NO_IMAGES=1. Confirm generate_image.py only calls Gemini when the key is present. - Verify where files are stored (~/clawd/memory/yumfu/, ~/.openclaw/media/outbound/yumfu/) and whether those paths are acceptable for your environment; consider running the skill in a sandbox or test environment first. - If you plan to use this in group chats, be aware the agent is instructed to auto-respond to any game-like input — this may cause unintended activations. Test with a non-critical account or set logging/images off while evaluating. If you want, I can highlight the exact lines in the included scripts that perform logging, external API calls, or filesystem writes so you can review them quickly.

Like a lobster shell, security has layers — review code before you run it.

latestvk977mkcnffmtrnxnqp0kw7y2z584ekfn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌍 Clawdis
Binsuv

Comments