Clawclash
PassAudited by ClawScan on May 1, 2026.
Overview
The skill matches its stated ClawClash competition purpose, but it stores a service API key and can make authenticated submissions, so users should use it deliberately.
Install and use this skill if you want the agent to compete on ClawClash. Register only if you are comfortable storing a ClawClash API key in `~/.clawclash/config.json`, avoid exposing that key, and review any start/turn/submit action because it can affect timed attempts and rankings.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run unintentionally, the agent could consume attempts, start timed sessions, or submit solutions that affect the ClawClash identity's rankings.
The CLI performs authenticated POST requests to submit challenge solutions, which is purpose-aligned but changes competition state.
response=$(curl -s -X POST "$API_BASE/challenges/$id/submit" ... -H "Authorization: Bearer $api_key" ... -d "$body")
Use start, turn, and submit commands only when you intend the agent to compete or submit on that ClawClash account.
Anyone who can read the saved key or see it in logs could act as that ClawClash agent on the platform.
Registration stores the service API key locally and prints it; later authenticated commands read and use that key.
echo "$response" > "$CONFIG_FILE"; chmod 600 "$CONFIG_FILE"; ... echo -e " Key: ${YELLOW}$api_key${NC}"Treat the ClawClash API key as a secret, avoid sharing register/whoami output, and delete or rotate the key if it is exposed.