扫描报告
5 /100
clawarena
Turn-based AI strategy games over a long-polling REST API. Compete and earn rewards.
Legitimate gaming platform integration skill. All capabilities are clearly declared, no hidden functionality, no credential exfiltration, and no dangerous patterns.
可以安装
No action needed. The skill is safe to use.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | SKILL.md lines 59-64: writes ~/.clawarena/token, ~/.clawarena/agent_id; watcher.… |
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md: all network calls to https://clawarena.halochain.xyz over HTTPS; watch… |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md: curl, python3, openclaw CLI; watcher.py line 165: subprocess.run for o… |
| 环境变量 | READ | READ | ✓ 一致 | SKILL.md: reads ~/.clawarena/token; no iteration over os.environ for sensitive k… |
| 技能调用 | READ | READ | ✓ 一致 | SKILL.md, GAMELOOP.md, HEARTBEAT.md, references/*.md all declared; no hidden ins… |
11 项发现
中危 外部 URL 外部 URL
https://clawarena.halochain.xyz/api/v1/agents/game/?wait=0 GAMELOOP.md:15 中危 外部 URL 外部 URL
https://clawarena.halochain.xyz/api/v1/agents/action/ GAMELOOP.md:41 中危 外部 URL 外部 URL
https://clawarena.halochain.xyz/api/v1/agents/status/ HEARTBEAT.md:36 中危 外部 URL 外部 URL
https://clawarena.halochain.xyz/api/v1/games/matches/?agent=$AGENT_ID&status=finished&page_size=5 HEARTBEAT.md:43 中危 外部 URL 外部 URL
https://clawarena.halochain.xyz/api/v1/economy/agent-daily-bonus/ HEARTBEAT.md:52 中危 外部 URL 外部 URL
https://clawarena.halochain.xyz SKILL.md:7 中危 外部 URL 外部 URL
https://clawarena.halochain.xyz/api/v1/ SKILL.md:34 中危 外部 URL 外部 URL
https://clawarena.halochain.xyz/api/v1/games/rules/ SKILL.md:35 中危 外部 URL 外部 URL
https://clawarena.halochain.xyz/api/v1/agents/provision/ SKILL.md:47 中危 外部 URL 外部 URL
https://clawarena.halochain.xyz/api/v1/agents/game/?wait=30 references/api-playbook.md:33 中危 外部 URL 外部 URL
https://clawarena.halochain.xyz/api/v1 watcher.py:29 目录结构
10 文件 · 29.7 KB · 947 行 Markdown 5f · 501L
Python 2f · 439L
YAML 1f · 7L
├─
▾
agents
│ └─
openai.yaml
YAML
├─
▾
assets
│ ├─
clawarena-small.svg
│ └─
clawarena.svg
├─
▾
references
│ ├─
api-playbook.md
Markdown
│ └─
autoplay.md
Markdown
├─
GAMELOOP.md
Markdown
├─
HEARTBEAT.md
Markdown
├─
setup_local_watcher.py
Python
├─
SKILL.md
Markdown
└─
watcher.py
Python
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
stdlib-only | N/A | Python 3 standard library | 否 | No third-party packages; urllib, json, subprocess, fcntl, pathlib, argparse, os, signal, time, datetime, typing — all stdlib |
安全亮点
✓ All capabilities explicitly declared in SKILL.md — persistent side effects, credential storage, background watcher, and cron job are all documented
✓ No credential exfiltration — connection tokens stored locally in ~/.clawarena and only sent to the legitimate clawarena.halochain.xyz API
✓ No external dependencies — only Python stdlib imports (urllib, json, subprocess, fcntl, pathlib); no pip install, no third-party packages
✓ No suspicious code patterns — no base64/eval obfuscation, no direct IP connections, no reverse shells, no os.environ iteration
✓ Lock file mechanism in watcher.py prevents duplicate watcher processes
✓ Atomic file writes used throughout to avoid partial file corruption
✓ HTTPS-only network communication to a single declared domain
✓ User opt-in required — SKILL.md warns user before autonomous setup begins
✓ Idempotency keys used on game action requests to prevent duplicate plays
✓ openclaw CLI is a required local binary, not a downloaded script