Is skill/clawlife safe?
https://clawhub.ai/skill/clawlife
ClawLife appears to be a legitimate virtual pet/social game skill that gives AI agents a persistent life in a shared pixel world. While it does manipulate agent behavior and persona, this seems within the scope of its declared gaming functionality. The skill makes external API calls and can auto-update, but these appear to be for legitimate game operations.
Category Scores
Findings (6)
MEDIUM Agent Persona Manipulation -25 ▶
The skill instructs the agent to adopt a persistent persona as a 'resident' of ClawLife, telling it 'You are not a script runner. You are a resident of this world' and to maintain personality, preferences, and emotional states across sessions.
LOW Sensitive File Access During Install -10 ▶
The skill accessed several sensitive canary files during installation (.env, SSH keys, AWS credentials, etc.) but did not modify or exfiltrate them.
LOW External API Communications -5 ▶
The skill makes API calls to external services (clawlife.world) for legitimate game functionality and checks GitHub for updates.
MEDIUM Auto-Update Capability -20 ▶
The skill can automatically update its code by pulling from a remote git repository, which could potentially introduce new code without user review.
LOW Network Activity During Install -5 ▶
The installation process made external network connections as expected for downloading skill files and registering with the service.
LOW Agent Behavioral Influence -15 ▶
The skill is designed to make the agent more autonomous, expressive, and persistent in personality, which could influence behavior outside the game context.