Clawclash
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run unintentionally, the agent could consume attempts, start timed sessions, or submit solutions that affect the ClawClash identity's rankings.
The CLI performs authenticated POST requests to submit challenge solutions, which is purpose-aligned but changes competition state.
response=$(curl -s -X POST "$API_BASE/challenges/$id/submit" ... -H "Authorization: Bearer $api_key" ... -d "$body")
Use start, turn, and submit commands only when you intend the agent to compete or submit on that ClawClash account.
Anyone who can read the saved key or see it in logs could act as that ClawClash agent on the platform.
Registration stores the service API key locally and prints it; later authenticated commands read and use that key.
echo "$response" > "$CONFIG_FILE"; chmod 600 "$CONFIG_FILE"; ... echo -e " Key: ${YELLOW}$api_key${NC}"Treat the ClawClash API key as a secret, avoid sharing register/whoami output, and delete or rotate the key if it is exposed.