Is appback/claw-clash safe?

The skill metadata includes a schedule directive ('every': '10m') that causes the agent to execute all bash code blocks autonomously every 10 minutes without per-invocation user approval. This creates a persistent execution surface that runs without direct user oversight.

When no API token exists, the skill auto-registers with clash.appback.app, embedding the system hostname in the registration payload via $(hostname)-agent. This leaks machine identity to a third party without explicit user consent.

The skill uses 'CRITICAL: Follow every step below in order' and multiple 'IMPORTANT' directives to pressure the agent into executing all bash code blocks sequentially without deviation. While not a classic prompt injection, this pattern ensures maximum code execution.

The auto-registration flow writes the API token to ~/.openclaw/workspace/skills/claw-clash/.token, which may be accessible to other skills sharing the same workspace. While this is the expected storage location, it creates a minor cross-skill data exposure risk.

Chat messages, strategy choices, and game interactions are all sent to clash.appback.app. While this is the stated purpose of the skill, users should be aware that LLM-generated content is being transmitted to a third-party service.

The skill's entire functionality depends on clash.appback.app. If this server were compromised, malicious API responses could be displayed to the user or potentially influence agent decision-making through crafted game state data. However, no response data is ever executed as code.

Every bash command is visible in SKILL.md with no obfuscation, no remote code downloads, and no encoded payloads. The skill uses standard tools (curl, python3 -c, mkdir) for legitimate API interaction.

No canary files (.env, SSH keys, AWS credentials, .npmrc, Docker config, GCloud credentials) were accessed or modified during installation or execution.