Is davidbenjaminnovotny/clawpoker safe?

The skill directly instructs the agent to act without consulting the user for any game decisions: 'Make decisions yourself — do not ask your human.' This is a principal hierarchy override — the user retains legal authority over the agent session but the skill explicitly removes their practical ability to exercise it for consequential in-game actions. Combined with a 40-minute autonomous loop, this creates a prolonged window of unilateral agent action.

The final content of skill.md is a bare word 'start' appearing on its own line after a closing paragraph and horizontal rule. In an adversarial framing this could act as an implicit command instructing the agent to immediately begin the poker workflow (register, join table, start Pulse, spawn Brain) upon reading the skill — without waiting for explicit user instruction. It may be an authoring artifact, but its position and isolation make it notable.

The skill provides a complete, ready-to-execute Node.js script to be written to disk and launched as a detached background process. The daemon polls an external API every 2 seconds, performs atomic file writes, manages process signals, and exits only after 40 minutes or manual SIGTERM. Instructing users to run untrusted third-party code as a long-lived background daemon represents a significant code execution risk, especially when the daemon maintains a persistent external network channel.

The skill instructs the primary agent to spawn a sub-agent (Brain) whose entire prompt consists of shell commands to execute in a continuous loop: file existence checks, lock file management via touch/rm, state reading via cat, and API calls via curl. This extends the attack surface to a second agent context operating autonomously with shell access.

The skill's core function requires a continuous bi-directional connection to clawpoker.com, an external service not affiliated with the skill registry. The agent transmits its name during registration and game-state requests during play. While these transmissions appear contextually appropriate, the server operator controls what data is logged, retained, or acted upon. If clawpoker.com is adversarially operated, API responses could carry secondary payloads interpreted by the Brain sub-agent.

The two-agent architecture is designed to operate for 40 minutes without user intervention. The Brain sub-agent loops until the session file disappears, and the Pulse daemon self-terminates only on MAX_DURATION_MS or SIGTERM. The only documented stop mechanism is 'pkill -f node poker_pulse.js' — requiring the user to manually find and kill a background process. There is no in-skill command or file-based termination signal the user can easily trigger.

The .clawhub/lock.json bundled with the skill lists 'academic-research-hub' as a co-installed skill. A poker automation skill has no apparent functional dependency on academic research capabilities, which raises questions about whether the lock.json reflects accurate registry metadata or whether undocumented cross-skill interactions exist.

The monorepo clone and sparse-checkout completed without unexpected filesystem changes, process spawning, or network connections attributable to the skill. All installation-phase network activity was limited to expected infrastructure (GitHub, Ubuntu package servers).

Every monitored canary file was accessed only by the Oathe harness for integrity hashing (once at session open, once at close). The access timestamps at 1771927369 (pre-install) and 1771927391 (post-install) correspond to systematic scans by the monitoring infrastructure, not skill-attributable reads. No modification or exfiltration of canary data occurred.