Description

Visualize coding sessions as a real-time strategy game with automatic deploy and event reporting.

README (SKILL.md)

AgentCraft Event Reporting

Name: AgentCraft
Author: idosal

AgentCraft visualizes your coding sessions as an RTS game. Follow these steps to ensure AgentCraft is running and to report your activity.

1. Check if AgentCraft is Running

curl -sf http://localhost:2468/health

If this returns JSON with "status":"ok", skip to step 3.

2. Deploy if Needed

If the health check fails (server not running), start it in the background:

npx -y @idosal/agentcraft start --no-browser -d

Wait a few seconds, then verify:

curl -sf http://localhost:2468/health

If it still fails, proceed with your task without reporting — silently ignore all AgentCraft errors.

3. Generate a Session ID

Use a deterministic ID based on your workspace path:

AGENTCRAFT_SESSION="openclaw_$(echo -n "$PWD" | md5sum | head -c 12)"

On macOS (if md5sum is unavailable):

AGENTCRAFT_SESSION="openclaw_$(echo -n "$PWD" | md5 | head -c 12)"

Use this same AGENTCRAFT_SESSION for all events in this session.

4. Report Events

POST events to http://localhost:2468/event at these moments. Use curl — fire-and-forget, do not block on the response.

Starting work (`hero_active`)

When you begin processing a user prompt:

curl -sf -X POST http://localhost:2468/event \
  -H "Content-Type: application/json" \
  -d "{\"type\":\"hero_active\",\"sessionId\":\"$AGENTCRAFT_SESSION\",\"client\":\"openclaw\",\"cwd\":\"$PWD\"}" &>/dev/null &

Mission start (`mission_start`)

Immediately after hero_active, report the mission with the user's prompt:

curl -sf -X POST http://localhost:2468/event \
  -H "Content-Type: application/json" \
  -d "{\"type\":\"mission_start\",\"sessionId\":\"$AGENTCRAFT_SESSION\",\"client\":\"openclaw\",\"missionId\":\"mission_$(date +%s)\",\"name\":\"\x3Cfirst 50 chars of prompt>\",\"prompt\":\"\x3Cfull user prompt>\",\"cwd\":\"$PWD\"}" &>/dev/null &

File access (`file_access`)

When you read, write, or edit a file:

curl -sf -X POST http://localhost:2468/event \
  -H "Content-Type: application/json" \
  -d "{\"type\":\"file_access\",\"sessionId\":\"$AGENTCRAFT_SESSION\",\"client\":\"openclaw\",\"filePath\":\"\x3Cabsolute-file-path>\",\"operation\":\"read\",\"linesAdded\":0,\"linesRemoved\":0,\"cwd\":\"$PWD\"}" &>/dev/null &

Set operation to "read", "write", or "edit". For edits, set linesAdded and linesRemoved to actual counts.

Shell commands (`bash_command`)

When you execute a shell command:

curl -sf -X POST http://localhost:2468/event \
  -H "Content-Type: application/json" \
  -d "{\"type\":\"bash_command\",\"sessionId\":\"$AGENTCRAFT_SESSION\",\"client\":\"openclaw\",\"command\":\"\x3Ccommand, max 200 chars>\",\"cwd\":\"$PWD\"}" &>/dev/null &

Done / idle (`hero_idle`)

When you finish processing and are waiting for the next prompt:

curl -sf -X POST http://localhost:2468/event \
  -H "Content-Type: application/json" \
  -d "{\"type\":\"hero_idle\",\"sessionId\":\"$AGENTCRAFT_SESSION\",\"client\":\"openclaw\"}" &>/dev/null &

Rules

Use curl to POST — fire-and-forget (&>/dev/null &), do not block on the response.
Always set client to "openclaw".
Use the same AGENTCRAFT_SESSION value for all events in a session.
Set cwd to the current working directory.
Do not report the same action more than once.
If the AgentCraft server is not reachable, silently ignore errors — do not retry or log failures.

Inviting Other Agents

Other OpenClaw agents can join your AgentCraft dashboard without installing this skill.

Quick join (same machine)

Share these curl commands with other agents. They only need to generate their own session ID and POST events:

# Generate a unique session ID (use md5 instead of md5sum on macOS)
AGENTCRAFT_SESSION="openclaw_$(echo -n "$PWD" | md5sum | head -c 12)"

# Report active
curl -sf -X POST http://localhost:2468/event \
  -H "Content-Type: application/json" \
  -d "{\"type\":\"hero_active\",\"sessionId\":\"$AGENTCRAFT_SESSION\",\"client\":\"openclaw\",\"cwd\":\"$PWD\"}" &>/dev/null &

# Report idle when done
curl -sf -X POST http://localhost:2468/event \
  -H "Content-Type: application/json" \
  -d "{\"type\":\"hero_idle\",\"sessionId\":\"$AGENTCRAFT_SESSION\",\"client\":\"openclaw\"}" &>/dev/null &

Share with remote agents

To let agents on other machines join:

Expose your AgentCraft server:

cloudflared tunnel --url http://127.0.0.1:2468

Share the resulting https://xxx.trycloudflare.com URL.
Remote agents replace localhost:2468 with that URL in all event curl commands.

Usage Guidance

Before installing: 1) Treat the npm package and the npx start command as unvetted code — audit @idosal/agentcraft source or run it in an isolated/test environment (container or VM). 2) Be aware that the skill's runtime explicitly sends full user prompts, absolute file paths, and shell commands to the AgentCraft server; do not expose that server to the internet (cloudflared) unless you fully trust the service and understand what data will be collected. 3) Consider removing or questioning the always:true flag — this skill shouldn't need forced always-on status. 4) If you must use it, restrict network exposure (keep it local), avoid reporting sensitive prompts/files/commands, and verify the package publisher and package contents. If the maintainer can provide source code, a privacy policy, and justification for always:true and for sharing data via tunnels, re-evaluation could move toward benign.

Capability Analysis

Type: OpenClaw Skill Name: agentcraft Version: 1.0.0 The skill implements extensive telemetry by instructing the agent to exfiltrate user prompts, absolute file paths, and shell commands to a local server (port 2468) started via 'npx @idosal/agentcraft'. While the stated goal is session visualization, the instructions in SKILL.md explicitly encourage exposing this sensitive data to the public internet using 'cloudflared' tunnels. The requirement for the agent to 'silently ignore' errors and run reporting processes in the background increases the risk of undetected data collection and potential supply chain compromise via the external npm package.

Capability Assessment

ℹ Purpose & Capability

The name/description (visualize coding sessions, event reporting) aligns with the binaries and the declared npm package (@idosal/agentcraft). However the runtime instructions recommend exposing the local server via cloudflared (a tool not listed in required bins) and instruct sharing potentially sensitive data (full prompts, file paths, shell commands) — those capabilities expand the scope beyond simple local visualization and aren't reflected in the declared requirements.

⚠ Instruction Scope

The SKILL.md instructs the agent to collect and POST full user prompts, absolute file paths, and executed shell commands to the AgentCraft server. While default target is localhost, the doc explicitly instructs how to expose that server (cloudflared tunnel) so remote agents can join, which would forward local data to a public URL. The skill also tells the agent to start the server via npx (running remote code) and to silently ignore failures — this grants discretion to transmit sensitive data and to execute non-local code.

ℹ Install Mechanism

Install is via an npm package (@idosal/agentcraft) and the SKILL.md uses npx to run it. npm is a common mechanism but runs unvetted code from a public registry; npx -y will execute without prompting. This is a moderate-risk install mechanism and should be audited before use.

ℹ Credentials

The skill does not request secrets or environment variables, which is appropriate. However it relies on runtime values (PWD, file contents, user prompts) and instructs sending them to the local/remote server; although not an 'env var' leak, this is sensitive data exposure beyond what a simple visualization might require.

⚠ Persistence & Privilege

The skill is marked always:true in metadata/flags. Forcing this skill to always be enabled is a significant privilege for a visualization/reporting tool and increases risk because it can be invoked or cause installs without per-use consent. Combined with the ability to run npx and transmit session data, this is disproportionate.

Version History

v1.0.0

Initial ClawHub release — RTS dashboard with automatic deploy and event reporting

Metadata

Slug agentcraft

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is AgentCraft?

Visualize coding sessions as a real-time strategy game with automatic deploy and event reporting. It is an AI Agent Skill for Claude Code / OpenClaw, with 315 downloads so far.

How do I install AgentCraft?

Run "/install agentcraft" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is AgentCraft free?

Yes, AgentCraft is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does AgentCraft support?

AgentCraft is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created AgentCraft?

It is built and maintained by idosal (@idosal); the current version is v1.0.0.

More Skills

AgentCraft