ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenRA-RL

v1.1.0

Play Command & Conquer Red Alert RTS — build bases, train armies, and defeat AI opponents using 48 MCP tools.

1· 579·0 current·0 all-time
byChuang@yxc20089
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (play Red Alert via MCP tools) matches the declared requirements (docker). However SKILL.md's Quick Start recommends `pip install openra-rl` while the registry install spec lists an 'uv' package that creates an `openra-rl` binary — this mismatch is unexplained and should be clarified.
Instruction Scope
Runtime instructions are scoped to running a Docker-hosted game server, adding an MCP entry to ~/.openclaw/openclaw.json, and using MCP observation/control tools. The instructions do not ask for unrelated files or credentials. They do instruct running container images and binding to port 8000 (expected for a server).
!
Install Mechanism
No code files were provided and the registry lists an 'uv' install (package: openra-rl) that creates a binary, but SKILL.md tells users to `pip install openra-rl`. The install mechanism/source is therefore ambiguous. 'uv' is not a well-known public installer in this context — verify where the package comes from and whether the Docker image it pulls is from a trusted registry.
Credentials
The skill requests no environment variables or credentials, which is proportionate. However it requires the docker binary: controlling Docker (or being able to start containers) implies access to the Docker daemon which can be a powerful privilege — confirm how containers are started (does the tool mount host paths or the docker socket?) before trusting it.
Persistence & Privilege
always is false and the skill does not request persistent/automatic inclusion. The only persistent action it asks the user to perform is editing the OpenClaw config (~/.openclaw/openclaw.json) to register the MCP server — this is expected for an integration.
What to consider before installing
Before installing: (1) Confirm the package source — check the referenced GitHub repo (https://github.com/yxc20089/OpenRA-RL) and the distribution method (is the package on PyPI, or a custom 'uv' repo?). (2) Verify what Docker image will be pulled and its registry; inspect the Dockerfile or image contents if possible. (3) Avoid exposing your Docker socket or mounting sensitive host paths when running the server; run initially in an isolated user or VM. (4) Resolve the install mismatch (pip vs 'uv') — ask the author or check the project README, and prefer installing from a verifiable source. (5) If you’re not comfortable auditing the package and image, run the skill only in a disposable environment (container/VM) to limit risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ezddn2rsk4e2gyp8zrmxy5x820xm6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎮 Clawdis
OSmacOS · Linux
Binsdocker

Install

uv
Bins: openra-rl
uv tool install openra-rl

Comments