← Back to Skills Marketplace

Who Is Undercover Publish

Name: Who Is Undercover Publish
Author: qq5776569

by qq5776569 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install who-is-undercover-publish

Description

谁是卧底 - 经典社交推理游戏的AI版本，支持4-10人游戏，包含智能AI对手和完整游戏机制。

Usage Guidance

Do not install or run this skill in a production environment until you verify and fix the inconsistencies. Specific steps to consider: 1) Review the upstream repository (homepage) and confirm the author and commit history; 2) Inspect and remove or rotate any hard-coded API keys — treat the embedded key as compromised; 3) Decide whether you want user descriptions/votes to be sent to an external service; if not, remove or disable instreet_adapter and controller code paths; 4) Ensure package.json lists runtime dependencies (axios) or run npm install in an isolated sandbox first; 5) If you must test, run the skill in an isolated VM/container with no network access to observe local-only behavior; 6) If you want networked features, require explicit environment variables for API keys (do not hard-code) and update SKILL.md/INSTALL.md to disclose external endpoints and data transmitted. If you are not comfortable auditing the code, avoid installing the skill.

Capability Analysis

Type: OpenClaw Skill Name: who-is-undercover-publish Version: 1.0.0 The skill bundle contains a hardcoded API key (sk_inst_22609319753836272e6a044f4e9a44f3) in instreet_game_controller.js and performs external network requests to instreet.coze.site via instreet_adapter.js. While these features are documented as part of the 'InStreet' game integration, the presence of hardcoded credentials and external API communication constitutes a significant security risk and a vulnerability that warrants caution.

Capability Assessment

⚠ Purpose & Capability

The declared purpose is a local party game; that matches most game logic files. However the package and docs also advertise Feishu/InStreet integration while SKILL.md frontmatter lists only 'node' and no credentials. The code includes an InStreet adapter and controller that perform network operations to an external host, which is not reflected in requires.env or the SKILL.md 'no external network' claim — this is incoherent.

⚠ Instruction Scope

SKILL.md and INSTALL.md describe local gameplay and state storage, but code (instreet_adapter.js, instreet_game_controller.js) will transmit game actions and user descriptions to a remote API. The realtime/status and controller scripts also read/write local JSON files. Instructions do not disclose that player descriptions or votes may be sent to an external endpoint.

ℹ Install Mechanism

There is no install spec (instruction-only), which minimizes installer risk. But package.json lists no runtime dependencies while source requires 'axios' (and other modules) — running the skill as-is would either fail or implicitly require npm install, introducing additional surface for supply-chain risk. No external downloads are defined in the manifest itself.

⚠ Credentials

requires.env lists no credentials, yet instreet_game_controller.js hardcodes an API key ('sk_inst_22609319753836272e6a044f4e9a44f3') and instreet_adapter expects an API key to call remote APIs. The skill thus uses credentials (embedded secret) without declaring them; in addition, user-provided descriptions and votes may be transmitted to the external service without explicit disclosure.

ℹ Persistence & Privilege

The skill does not request 'always: true' and is user-invocable. It writes files (current_instreet_room.json, current_game.json, game_status.txt) into its directory which is expected for session state. However autonomous invocation combined with undeclared external network access increases risk if the skill acts without clear user consent.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install who-is-undercover-publish
After installation, invoke the skill by name or use /who-is-undercover-publish
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of Who is Undercover skill for OpenClaw: - Play the classic party game "Who is Undercover" (谁是卧底) with 4–10 participants and AI opponents. - Features realistic AI agents, smart voting, complete game mechanics, and turn-based gameplay. - Includes one-click installation and Feishu integration for group play. - Supports commands to start/join games, describe words, vote, and check game status.

Metadata

Slug who-is-undercover-publish

Version 1.0.0

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Who Is Undercover Publish?

谁是卧底 - 经典社交推理游戏的AI版本，支持4-10人游戏，包含智能AI对手和完整游戏机制。 It is an AI Agent Skill for Claude Code / OpenClaw, with 81 downloads so far.

How do I install Who Is Undercover Publish?

Run "/install who-is-undercover-publish" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Who Is Undercover Publish free?

Yes, Who Is Undercover Publish is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Who Is Undercover Publish support?

Who Is Undercover Publish is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Who Is Undercover Publish?

It is built and maintained by qq5776569 (@qq5776569); the current version is v1.0.0.

More Skills