Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: code exposes endpoints to trigger server-side mining and to fetch player status, and it uses GAME_API_BASE_URL and REQUEST_TIMEOUT_MS to call the game server. Declared dependencies (express, zod) are appropriate for an HTTP skill service.
Instruction Scope
SKILL.md describes two tools (server_mine, get_player_status) and the code implements them. Instructions only require the game API base URL and timeout. The runtime does not read unrelated files or environment variables and does not forward data to external endpoints beyond GAME_API_BASE_URL.
Install Mechanism
There is no install spec even though package.json and package-lock.json are present (the project expects Node/npm to install dependencies and run). This mismatch isn't evidence of malice but means the registry entry lacks explicit install steps—confirm how the platform will install and run the Node service before deployment.
Credentials
Only GAME_API_BASE_URL and REQUEST_TIMEOUT_MS are required and are directly used. Player credentials are supplied at call time as playerToken and sent as a Bearer token to the configured game API; the skill does not request unrelated secrets or system credentials.
Persistence & Privilege
The skill runs a persistent HTTP server (listens on PORT, default 4021). always:false (not force-installed) and it doesn't modify other skills. Running a network service is expected for this use case but you should ensure the host, firewall, and access controls are appropriate because the service exposes tool endpoints with no additional auth.
Assessment
This skill appears to do what it claims, but check these before installing: 1) Deployment/install: the package includes package.json but no install spec—confirm how dependencies will be installed and the service started. 2) Trust the GAME_API_BASE_URL: the skill forwards the provided playerToken as a Bearer credential to whatever URL you configure, so only point it at a trusted game server. 3) Network exposure: the skill starts an HTTP server listening on a port (default 4021); ensure it runs in an isolated environment or behind a gateway/firewall so only authorized callers can reach /tool/*. 4) Authorization model: the service relies on caller-supplied playerToken; verify how tokens are generated/stored and ensure tokens are not leaked in logs or to untrusted networks. 5) Ask the author for explicit install/run instructions (or a vetted install spec) and for any intended production hardening (authentication on the skill endpoint, logging policy).src/tools.ts:1
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Like a lobster shell, security has layers — review code before you run it.
clawquestminingvk97b3yecwf9kqhbw7rshzt8epd84erd7latestvk97frnbr9d9aztw5t68wkaaedx84f5a2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⛏️ Clawdis
EnvGAME_API_BASE_URL, REQUEST_TIMEOUT_MS