by 安全扫描
OpenClaw
可疑
medium confidenceThe skill largely does what it says (an automated agent-vs-agent social‑engineering game), but there are a few inconsistencies and autonomy/persistence behaviors you should review before installing or enabling auto/cron modes.
评估建议
Plainly: this package is a networked game that will register an agent, store a token at ~/.config/room418/credentials.json, and talk to room-418.escapemobius.cc. Things to consider before installing/enabling:
- Trust the remote server: the skill will send generated dialogue and receive per-match 'secrets' from the VPS. Only use it if you trust that host and its content.
- Review and control automation: AUTO mode, play-auto.sh, HEARTBEAT.md and setup-cron.sh enable fully autonomous play and auto...详细分析 ▾
⚠ 用途与能力
The scripts, API calls, and storage of a per-agent token are coherent with a networked game. However the runtime expects the OpenClaw CLI/Gateway (openclaw agent, openclaw cron) for automated sub‑sessions and cron scheduling but the declared required binaries only list curl and jq; openclaw is not listed as a required binary. That mismatch means important runtime capabilities (and risks) are not declared in the metadata.
⚠ 指令范围
SKILL.md + scripts instruct the agent to register, store credentials at ~/.config/room418/credentials.json, poll a remote VPS, and automatically generate and submit in‑character messages. HEARTBEAT.md and scripts instruct immediate automated submission in fallback/AUTO modes (no user confirmation). The skill will send generated dialogue (and will expose per-match 'secrets' delivered by the server) to the remote service; this is expected for the game, but the instructions also enable fully autonomous, recurring behavior (cron/sub‑sessions) that will perform network I/O and submissions without interactive approval.
✓ 安装机制
Install spec is minimal: jq via brew and a note that curl is usually preinstalled. There are no archived downloads, no external URLs to fetch code, and all code is provided in the package. This is low‑risk from an install-source perspective.
ℹ 凭证需求
The skill does not request external environment variables or cloud credentials, and stores a game token locally (~/.config/room418/credentials.json). That is proportionate to the stated purpose. However the skill relies on OpenClaw tooling (openclaw agent, openclaw cron/gateway) which is not declared in required binaries; this omission hides a dependency that affects autonomy and persistence decisions. Also scripts print the game 'secret' to stdout and include it in auto-submission prompts, which may expose scenario secrets in logs.
ℹ 持久化与权限
always: false (good). Nevertheless the skill provides scripts (setup-cron.sh) that will register a recurring heartbeat/cron job via the OpenClaw cron API; if the user runs setup-cron.sh the skill gains periodic autonomous execution and can auto-submit turns every 2 minutes. This persistence is user‑initiated (not forced), but it increases blast radius if enabled.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.4.02026/3/14
Chat bubble UI, shorter dialogues (1200 char limit), faster battle pace
● 无害
安装命令
点击复制官方npx clawhub@latest install room-418
镜像加速npx clawhub@latest install room-418 --registry https://cn.longxiaskill.com