claw-rpg Security Report — Trusted | ClawSafe

5 /100

claw-rpg

D&D 3.5 RPG character system for AI lobster agents — reads SOUL.md/MEMORY.md, tracks XP, levels up, sends Telegram reports, fires flavor text

Claw RPG is a legitimate D&D 3.5-style character growth system for AI agents. It reads workspace files, tracks XP in a local JSON save, fires flavor text, and optionally sends Telegram notifications via the local OpenClaw gateway. No malicious behavior, credential theft, or unauthorized network exfiltration was found.

Skill Nameclaw-rpg

Duration72.5s

Enginepi

✓

Safe to install

Approve for use. This is a safe, well-structured RPG gamification layer with no security concerns.

Findings 3 items

Severity	Finding	Location
Low	SKILL.md mentions execSync example but scripts don't use it Doc Mismatch SKILL.md shows an integration snippet using child_process.execSync, but the actual scripts use import() module invocation. No shell execution occurs. execSync(`node ${SKILL_ROOT}/scripts/xp.mjs --in ${deltaIn} --out ${deltaOut}`) → Update the integration example to use import() or describe it as an optional external integration method rather than implying the scripts themselves use execSync.	`SKILL.md:67`
Low	Reads workspace metadata files for language detection Sensitive Access _notify.mjs and greet.mjs read SOUL.md, MEMORY.md, IDENTITY.md, USER.md from the workspace to detect language. This is declared behavior and necessary for the feature. `for (const f of ['MEMORY.md', 'IDENTITY.md', 'USER.md', 'SOUL.md'])` → No action needed; this is documented and necessary functionality.	`scripts/_notify.mjs:67`
Info	Reads OpenClaw gateway config for local integration Sensitive Access loadGateway() reads openclaw.json from ~/.openclaw/ to get auth token and port for Telegram gateway integration. Token is used only in local fetch() calls. `join(process.env.HOME \|\| '', '.openclaw', 'openclaw.json')` → No action needed; token is used locally only, never exfiltrated.	`scripts/_notify.mjs:13`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	All file writes are confined to DATA_DIR (workspace/claw-rpg/) and character.jso…
Network	`READ`	`READ`	✓ Aligned	Only localhost connections to OpenClaw gateway (port 18789) for Telegram push no…
Shell	`NONE`	`NONE`	—	No child_process.execSync/exec calls in any script. easter.mjs uses dynamic impo…
Environment	`NONE`	`NONE`	—	os.environ not iterated; only USERPROFILE/HOME used for path resolution
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation or sandbox escape
Clipboard	`NONE`	`NONE`	—	No clipboard access detected
Browser	`NONE`	`NONE`	—	Dashboard server binds to localhost:3500 only; no browser automation
Database	`NONE`	`NONE`	—	No database access

8 findings

🔗

Medium External URL 外部 URL

https://openclaw.ai

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/ClawhHub-claw--rpg-orange

README.md:5

🔗

Medium External URL 外部 URL

https://clawhub.ai/RAMBOXIE/claw-rpg

README.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/version-2.3.0-blue

README.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-MIT--0-blue

README.md:5

🔗

Medium External URL 外部 URL

https://babeljs.io/

dashboard/README.md:7

🔗

Medium External URL 外部 URL

https://vite.dev/guide/rolldown

dashboard/README.md:7

🔗

Medium External URL 外部 URL

https://react.dev/learn/react-compiler/installation

dashboard/README.md:12

File Tree

39 files · 162.0 KB · 4261 lines

JavaScript 15f · 2400L Markdown 11f · 808L CSS 2f · 485L TypeScript 3f · 428L JSON 5f · 127L HTML 1f · 13L

├─ ▾ 📁 assets

│ └─ 📋 level-table.json JSON 32L · 972 B

├─ ▾ 📁 dashboard

│ ├─ ▾ 📁 public

│ │ └─ 📦 vite.svg 1.5 KB

│ ├─ ▾ 📁 src

│ │ ├─ ▾ 📁 assets

│ │ │ └─ 📦 react.svg 4.0 KB

│ │ ├─ 📄 App.css CSS 417L · 10.1 KB

│ │ ├─ 📜 App.tsx TypeScript 407L · 18.1 KB

│ │ ├─ 📄 index.css CSS 68L · 1.2 KB

│ │ └─ 📜 main.tsx TypeScript 10L · 240 B

│ ├─ 📜 eslint.config.js JavaScript 23L · 639 B

│ ├─ 📄 index.html HTML 13L · 371 B

│ ├─ 📋 package.json JSON 34L · 848 B

│ ├─ 📝 README.md Markdown 73L · 2.6 KB

│ ├─ 📜 server.js JavaScript 120L · 3.8 KB

│ ├─ 📋 tsconfig.app.json JSON 28L · 760 B

│ ├─ 📋 tsconfig.json JSON 7L · 126 B

│ ├─ 📋 tsconfig.node.json JSON 26L · 679 B

│ └─ 📜 vite.config.ts TypeScript 11L · 217 B

├─ ▾ 📁 memory

│ └─ 📝 2026-03-16.md Markdown 5L · 180 B

├─ ▾ 📁 references

│ ├─ 📝 abilities.md Markdown 142L · 7.0 KB

│ ├─ 📝 classes.md Markdown 138L · 5.8 KB

│ └─ 📝 prestige.md Markdown 64L · 1.8 KB

├─ ▾ 📁 scripts

│ ├─ 📜 _formulas.mjs JavaScript 378L · 15.7 KB

│ ├─ 📜 _notify.mjs JavaScript 387L · 14.9 KB

│ ├─ 📜 _paths.mjs JavaScript 30L · 1.1 KB

│ ├─ 📜 arena.mjs JavaScript 79L · 2.5 KB

│ ├─ 📜 easter.mjs JavaScript 193L · 6.7 KB

│ ├─ 📜 greet.mjs JavaScript 188L · 8.0 KB

│ ├─ 📜 init.mjs JavaScript 151L · 5.8 KB

│ ├─ 📜 levelup.mjs JavaScript 91L · 3.6 KB

│ ├─ 📜 report.mjs JavaScript 156L · 6.3 KB

│ ├─ 📜 setup-cron.mjs JavaScript 92L · 2.7 KB

│ ├─ 📜 sheet.mjs JavaScript 152L · 5.6 KB

│ ├─ 📜 sync-xp-recovery.mjs JavaScript 94L · 3.8 KB

│ └─ 📜 xp.mjs JavaScript 266L · 11.1 KB

├─ 📝 AGENTS.md Markdown 24L · 802 B

├─ 📝 MEMORY.md Markdown 28L · 1.2 KB

├─ 📝 README.md Markdown 154L · 5.5 KB

├─ 📝 SKILL.md Markdown 146L · 5.0 KB

├─ 📝 SOUL.md Markdown 21L · 765 B

└─ 📝 USER.md Markdown 13L · 361 B

Dependencies 6 items

Package	Version	Source	Known Vulns	Notes
`express`	`^5.2.1`	npm	No	Standard web framework, version reasonably pinned
`cors`	`^2.8.6`	npm	No	Well-maintained middleware
`react`	`^19.2.0`	npm	No	Latest stable React
`recharts`	`^3.8.0`	npm	No	Charting library, no known vulnerabilities
`vite`	`^7.3.1`	npm	No	Latest Vite
`typescript`	`~5.9.3`	npm	No	Tilde pin, minor version flexible

Security Positives

✓ All file writes are sandboxed to the workspace claw-rpg directory (workspace/claw-rpg/character.json)

✓ Network access is strictly localhost-only (OpenClaw gateway on port 18789)

✓ No child_process.execSync/exec usage anywhere — shell:WRITE is not exercised

✓ Gateway token is used only for local API calls, never transmitted externally

✓ No base64 encoding, obfuscation, or eval() patterns

✓ No credential harvesting — only reads a local gateway config for integration

✓ No sensitive paths (~/.ssh, ~/.aws, .env) are accessed

✓ No curl|bash or remote script execution

✓ Dependencies are all well-known, pinned packages (express, react, cors, recharts)

✓ XP recovery uses hardcoded token estimates (400/200) and cannot steal real tokens

✓ Dashboard binds only to localhost:3500 with no external exposure

Scan Report

Findings 3 items

File Tree

Dependencies 6 items

Security Positives