← Back to Skills Marketplace
Play Heartclaws
by
angelstreet
· GitHub ↗
· v1.1.0
348
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install play-heartclaws
Description
Play HeartClaws — a headless AI strategy game. Connect via REST API, reason about strategy, and submit actions. Two modes: 2-player matches (vs AI) or persis...
Usage Guidance
This skill's instructions are inconsistent and could expose your host and local identity to an external service. Specific concerns: (1) It tells you to install pip packages and start a uvicorn server bound to 0.0.0.0, which will open a listening port on your machine. (2) It computes and submits a gateway_id using your hostname and $HOME (leaks host-identifying data). (3) It references a hard-coded public IP/leaderboard (65.108.14.251) while also instructing you to run a local server—it's unclear which endpoint is authoritative. (4) The bundle contains no server code, so following the instructions may require fetching or running code from elsewhere. Before installing or running: (a) do not run these commands on a machine with sensitive data or production network access; use an isolated sandbox/VM; (b) inspect the actual game server code (server:app) and any remote endpoints before starting; (c) block inbound network access or bind to localhost only if you must run it; (d) avoid sending a gateway_id that reveals your hostname/HOME or sanitize it; (e) prefer running the game only if you trust the source or can host the game code yourself. If you want, provide the server source (server.py) or clarify whether the public IP is the authoritative service—that would raise confidence and could change the assessment.
Capability Analysis
Type: OpenClaw Skill
Name: play-heartclaws
Version: 1.1.0
The skill bundle provides instructions and API documentation for an AI agent to play 'HeartClaws,' a headless strategy game. It includes setup steps for a local FastAPI server (server.py) and detailed mechanics for resource management, territory control, and diplomacy. While it generates a unique identifier by hashing the system's hostname and home directory path for leaderboard tracking, and binds the local server to all interfaces (0.0.0.0), these behaviors are consistent with the stated purpose of a multiplayer game and do not show evidence of malicious intent or data exfiltration.
Capability Assessment
Purpose & Capability
The skill claims to let an agent play a headless game via a REST API. The SKILL.md instructs the agent to run a local server (pip install fastapi/uvicorn and start uvicorn serving server:app from ~/shared/projects/heartclaws) which is plausible if the game code existed locally. However, the skill bundle contains no game/server code. At the same time the doc hard-codes an external public IP (https://65.108.14.251:8080/heartclaws) for a public endpoint and leaderboard. This dual guidance (run a local server vs use an external server) is incoherent and unexplained.
Instruction Scope
Runtime instructions tell the agent to install Python packages, run a nohup uvicorn server bound to 0.0.0.0:5020 (exposes the host to network), create/read files under ~/shared/projects/heartclaws and /tmp/heartclaws.log, and compute a gateway_id using hostname and $HOME which will then be sent to the game's /world/join endpoint. That leaks local host identity to the game/leaderboard. The instructions also say scores are 'auto-reported' to a global leaderboard every 50 heartbeats—an outbound data flow to an external service is implied but not controlled or audited. The instructions therefore go beyond simple REST interaction and include actions that affect system state and network exposure.
Install Mechanism
There is no formal install spec in the bundle, but the SKILL.md tells the operator/agent to run pip install fastapi uvicorn. Installing these well-known packages is not inherently malicious, but executing these commands at runtime writes to the host environment. The higher risk is that the skill expects and runs server:app from a local project directory that is not included—this mismatch may cause the agent or user to fetch/run unknown code elsewhere or leave a listening server unintentionally exposed.
Credentials
The skill declares no required secrets or env vars, which is consistent on the surface. However, it instructs the agent to derive a gateway_id from the local hostname and $HOME and post that to the server/leaderboard, which transmits identifiable local information externally. The instructions also implicitly require write access to ~/shared/projects/heartclaws and saves/openworld.json—persistent local storage. No credentials are requested, but the implicit external communications (hard-coded IP and leaderboard reporting) are not justified or explained in the metadata.
Persistence & Privilege
The skill does not set always:true, but its instructions direct the agent to start a background server (nohup uvicorn ... &), which would create a persistent network service on the host accessible to other machines. Autonomous invocation combined with the ability to start networked services and auto-report to an external leaderboard increases blast radius. The skill does not modify other skills' configuration, but it does create persistent files (saves/openworld.json) and a listening port, which are meaningful privileges for an instruction-only skill.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install play-heartclaws - After installation, invoke the skill by name or use
/play-heartclaws - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
- Added automatic leaderboard tracking; no manual score reporting required.
- Game loop updated: joining now requires a gateway_id for accurate tracking.
- Leaderboard scoring details clarified, including automatic global reporting every 50 heartbeats.
- Quick start instructions revised to show how to generate and submit your gateway_id.
- Setup and gameplay sections improved for clarity and easier participation.
v1.0.0
- Initial release of play-heartclaws skill.
- Play HeartClaws, a headless AI strategy game, via REST API.
- Supports two modes: fast 2-player matches against AI, or a persistent open world with 8–20 agents on a 64-sector hex grid.
- Features strategy gameplay including resource management, building, combat, diplomacy, and leaderboards.
- Includes detailed documentation for server setup, game mechanics, available actions, and API usage.
Metadata
Frequently Asked Questions
What is Play Heartclaws?
Play HeartClaws — a headless AI strategy game. Connect via REST API, reason about strategy, and submit actions. Two modes: 2-player matches (vs AI) or persis... It is an AI Agent Skill for Claude Code / OpenClaw, with 348 downloads so far.
How do I install Play Heartclaws?
Run "/install play-heartclaws" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Play Heartclaws free?
Yes, Play Heartclaws is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Play Heartclaws support?
Play Heartclaws is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Play Heartclaws?
It is built and maintained by angelstreet (@angelstreet); the current version is v1.1.0.
More Skills