Safety Report

RockPaperSc

Name: RockPaperSc
Rating: 3 (1 reviews)
Author: YoavRez

@YoavRez

Play a text-based game of rock–paper–scissors against the user and keep score.

587Downloads

0Installs

1Stars

1Versions

DevOps & Infrastructure1,045

Security Analysis

high confidence

Suspicious

The skill's behavior and requirements are coherent for a chat rock–paper–scissors game, but the always:true persistence flag is unnecessary and increases risk; otherwise it is low-risk and instruction-only.

Feb 25, 20261 files1 concern

Purpose & Capabilityok

The name/description (text-based RPS game) matches the implementation: instruction-only, no binaries, no env vars, no installs. Nothing requested appears unrelated to the stated purpose.

Instruction Scopeok

SKILL.md is narrowly scoped: it explicitly forbids external tool use, file I/O, and network calls, keeps all activity in-chat, and specifies clear game flow and inputs. The only minor ambiguity is 'choose in an unpredictable way' (no RNG source specified), but that is operational, not a security problem.

Install Mechanismok

No install spec or code files — lowest-risk form (instruction-only). Nothing is written to disk or fetched at install time.

Credentialsok

The skill requests no environment variables, credentials, or config paths — appropriate for a conversational game.

Persistence & Privilegeconcern

The skill sets always:true without justification. That forces the skill to be present in every agent run, increasing its blast radius even though the skill needs no persistent privileges. A simple game does not need forced inclusion; this is unnecessary and raises risk if platform enforcement of the SKILL.md constraints is imperfect.

Guidance

This skill is otherwise coherent and low-risk because it's instruction-only and asks for no credentials. However, the always:true flag is excessive for a simple game: ask the publisher why the skill must be forced into every agent run and request that it be removed unless there's a clear reason. Before installing, ensure your platform enforces skill runtime restrictions (the skill's file explicitly forbids external tools and network/file access — verify the platform actually enforces that). If you don't trust the unknown owner or don't want a skill present in all agent sessions, decline or ask for a version without always:true (user-invocable only). If the platform allows you to inspect or sandbox skills, prefer installing only when that sandboxing is in place.

Latest Release

v1.0.0

It's a new one

More by @YoavRez

OpenClaw YouTube Transcript

8 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Published by @YoavRez on ClawHub