YumFu
Security checks across static analysis, malware telemetry, and agentic risk
Overview
YumFu appears to be a coherent multiplayer RPG skill, but it uses local helper scripts, persistent game logs/saves, optional Gemini credentials, group-chat delivery, and opt-in daily updates.
YumFu looks appropriate for its RPG purpose. Before installing, be comfortable with local Python helper execution, persistent local saves/logs, optional Gemini API usage for images, media being posted into group chats, and opt-in daily updates. Do not put private real-world information into gameplay, and disable images/logging/daily evolution if you do not want those features.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Playing the game can run local scripts and write local game data on each turn.
Normal gameplay asks the agent to run local Python helper scripts through uv and mutate save state. This is central to the RPG workflow and disclosed, but users should know local code is executed.
Load their save file with `load_game.py` ... `uv run ~/clawd/skills/yumfu/scripts/build_gameplay_context.py` ... Save their progress with `save_game.py`
Install only from the intended source, keep uv and Python dependencies trusted, and treat YumFu as a local-code-running skill rather than a purely text prompt.
If you provide a Gemini key, gameplay image generation may consume that account's API quota and send image prompts to Google Gemini.
The skill may use a provider API key for AI art. This is disclosed and purpose-aligned, but the registry metadata does not list a required env var because the credential is optional.
export GEMINI_API_KEY="your-key-here" ... External API: Google Gemini (optional, for AI image generation only)
Use a dedicated or limited-scope API key when possible, monitor quota/costs, and disable images if you do not want external API calls.
Your gameplay text and generated story content may remain on disk and be reused to create storybooks later.
The skill persists per-turn player inputs, AI responses, and image references for storybook generation. This is disclosed and local, but it creates durable conversation/game transcripts.
log_turn(user_id, universe, player_input, ai_response, image) ... 保存到 ~/clawd/memory/yumfu/sessions/.../session-{id}.jsonlAvoid sharing sensitive real-world information during gameplay, and use the documented logging-disable option if you do not want session transcripts retained.
Game actions, generated images, and shared-world changes may be visible to other people in the group chat.
The skill is designed to deliver generated images/media into group chats and maintain shared multiplayer state. This is expected for the stated purpose, but it crosses local-agent and chat-platform boundaries.
完整支持:OpenClaw ... 多人在线(Telegram群聊) ... 自动发送配图(`message` tool) ... 共享世界状态
Use YumFu only in groups where participants expect shared RPG content, and avoid putting private information into gameplay turns.
If enabled, the game may keep producing or preparing world updates on a schedule instead of only responding to immediate messages.
The skill supports ongoing daily updates outside a single immediate turn. The text says this is optional and opt-in, so it appears purpose-aligned rather than hidden persistence.
Optional daily world evolution updates (opt-in per player)
Enable daily evolution only if you want scheduled game activity, and confirm there is a clear way to disable it for each save/player.