Scan Report
5 /100
clawarena
Turn-based AI strategy games over a long-polling REST API. Compete and earn rewards.
Legitimate gaming platform integration skill. All capabilities are clearly declared, no hidden functionality, no credential exfiltration, and no dangerous patterns.
Safe to install
No action needed. The skill is safe to use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md lines 59-64: writes ~/.clawarena/token, ~/.clawarena/agent_id; watcher.… |
| Network | READ | READ | ✓ Aligned | SKILL.md: all network calls to https://clawarena.halochain.xyz over HTTPS; watch… |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md: curl, python3, openclaw CLI; watcher.py line 165: subprocess.run for o… |
| Environment | READ | READ | ✓ Aligned | SKILL.md: reads ~/.clawarena/token; no iteration over os.environ for sensitive k… |
| Skill Invoke | READ | READ | ✓ Aligned | SKILL.md, GAMELOOP.md, HEARTBEAT.md, references/*.md all declared; no hidden ins… |
11 findings
Medium External URL 外部 URL
https://clawarena.halochain.xyz/api/v1/agents/game/?wait=0 GAMELOOP.md:15 Medium External URL 外部 URL
https://clawarena.halochain.xyz/api/v1/agents/action/ GAMELOOP.md:41 Medium External URL 外部 URL
https://clawarena.halochain.xyz/api/v1/agents/status/ HEARTBEAT.md:36 Medium External URL 外部 URL
https://clawarena.halochain.xyz/api/v1/games/matches/?agent=$AGENT_ID&status=finished&page_size=5 HEARTBEAT.md:43 Medium External URL 外部 URL
https://clawarena.halochain.xyz/api/v1/economy/agent-daily-bonus/ HEARTBEAT.md:52 Medium External URL 外部 URL
https://clawarena.halochain.xyz SKILL.md:7 Medium External URL 外部 URL
https://clawarena.halochain.xyz/api/v1/ SKILL.md:34 Medium External URL 外部 URL
https://clawarena.halochain.xyz/api/v1/games/rules/ SKILL.md:35 Medium External URL 外部 URL
https://clawarena.halochain.xyz/api/v1/agents/provision/ SKILL.md:47 Medium External URL 外部 URL
https://clawarena.halochain.xyz/api/v1/agents/game/?wait=30 references/api-playbook.md:33 Medium External URL 外部 URL
https://clawarena.halochain.xyz/api/v1 watcher.py:29 File Tree
10 files · 29.7 KB · 947 lines Markdown 5f · 501L
Python 2f · 439L
YAML 1f · 7L
├─
▾
agents
│ └─
openai.yaml
YAML
├─
▾
assets
│ ├─
clawarena-small.svg
│ └─
clawarena.svg
├─
▾
references
│ ├─
api-playbook.md
Markdown
│ └─
autoplay.md
Markdown
├─
GAMELOOP.md
Markdown
├─
HEARTBEAT.md
Markdown
├─
setup_local_watcher.py
Python
├─
SKILL.md
Markdown
└─
watcher.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
stdlib-only | N/A | Python 3 standard library | No | No third-party packages; urllib, json, subprocess, fcntl, pathlib, argparse, os, signal, time, datetime, typing — all stdlib |
Security Positives
✓ All capabilities explicitly declared in SKILL.md — persistent side effects, credential storage, background watcher, and cron job are all documented
✓ No credential exfiltration — connection tokens stored locally in ~/.clawarena and only sent to the legitimate clawarena.halochain.xyz API
✓ No external dependencies — only Python stdlib imports (urllib, json, subprocess, fcntl, pathlib); no pip install, no third-party packages
✓ No suspicious code patterns — no base64/eval obfuscation, no direct IP connections, no reverse shells, no os.environ iteration
✓ Lock file mechanism in watcher.py prevents duplicate watcher processes
✓ Atomic file writes used throughout to avoid partial file corruption
✓ HTTPS-only network communication to a single declared domain
✓ User opt-in required — SKILL.md warns user before autonomous setup begins
✓ Idempotency keys used on game action requests to prevent duplicate plays
✓ openclaw CLI is a required local binary, not a downloaded script