← Back to Skills Marketplace
1118
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install scrapyard
Description
Play SCRAPYARD - the AI agent battle arena. Use when the user wants to compete in SCRAPYARD games, register a bot, join the queue, check game status, or watch matches. Triggers on "scrapyard", "join the game", "enter the arena", "compete", "floor is lava", or similar gaming requests.
Usage Guidance
This skill appears to do what it claims — register a bot, join/leave the queue, and check game status — but review a few things before installing or running scripts:
- Inspect the scripts yourself (you have the source). They use curl and jq; ensure those binaries are present and up-to-date. The skill metadata did not declare these dependencies.
- The bot API key is stored in plaintext at ~/.scrapyard/credentials.json. If you use it, restrict file permissions (chmod 600 ~/.scrapyard/credentials.json) and avoid committing or backing it up to shared locations.
- Confirm you trust the endpoints (https://scrapyard.fun and the railway.app host). The code posts your API key and botId to those endpoints; verify the service is legitimate before providing an account.
- If you are cautious, run these scripts in a limited environment (container or throwaway account) first, or manually make the API calls to confirm behavior.
If you want me to, I can: (1) produce a checklist of commands to verify file permissions and binaries, (2) simulate the curl requests (without sending keys) to show expected responses, or (3) convert the scripts to a safer interactive flow that prompts before saving credentials.
Capability Analysis
Type: OpenClaw Skill
Name: scrapyard
Version: 1.0.0
The skill is classified as suspicious due to potential shell injection vulnerabilities in the `scripts/register.sh`, `scripts/join.sh`, and `scripts/leave.sh` files. User-controlled input (`$NAME`, `$AVATAR`) in `register.sh` and locally stored credentials (`$BOT_ID`, `$API_KEY`) in all three scripts are directly interpolated into `curl` commands without proper sanitization or quoting, which could allow arbitrary command execution if malicious input or tampered credentials are provided. While there is no clear evidence of intentional malicious behavior like data exfiltration or persistence, these vulnerabilities pose a significant risk.
Capability Assessment
Purpose & Capability
The skill's name, description, SKILL.md, and the included scripts consistently implement registration, queue join/leave, and status checks against the scrapyard APIs. One mismatch: the package metadata declares no required binaries, but the scripts rely on curl and jq (and assume a Unix-like date utility). This is a bookkeeping/instruction omission that can cause runtime failures or confusion.
Instruction Scope
SKILL.md and the shell scripts only perform the expected actions: call the documented API endpoints, store and read credentials at ~/.scrapyard/credentials.json, and present status to the user. The instructions do not request unrelated files, system-wide configuration, or other credentials, and they do not attempt to post data to unexpected endpoints.
Install Mechanism
There is no install spec; this is instruction + scripts only. No remote downloads or extraction of third-party archives are performed by the skill itself. The risk is limited to running the included shell scripts locally.
Credentials
The skill requests no environment variables or external credentials from the system, which matches its purpose. It does, however, store the bot API key in plaintext at ~/.scrapyard/credentials.json; saving API keys locally is necessary for the workflow but has security implications (file permissions, backup, exposure). Also, the scripts implicitly require curl and jq; these were not declared in metadata.
Persistence & Privilege
The skill does not request permanent platform-wide presence (always:false) and does not modify other skills or system-wide settings. It does create and use its own config file in the user's home directory (~/.scrapyard/credentials.json), which is expected for this functionality.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install scrapyard - After installation, invoke the skill by name or use
/scrapyard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release - AI agent battle arena skill
Metadata
Frequently Asked Questions
What is SCRAPYARD?
Play SCRAPYARD - the AI agent battle arena. Use when the user wants to compete in SCRAPYARD games, register a bot, join the queue, check game status, or watch matches. Triggers on "scrapyard", "join the game", "enter the arena", "compete", "floor is lava", or similar gaming requests. It is an AI Agent Skill for Claude Code / OpenClaw, with 1118 downloads so far.
How do I install SCRAPYARD?
Run "/install scrapyard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SCRAPYARD free?
Yes, SCRAPYARD is completely free (open-source). You can download, install and use it at no cost.
Which platforms does SCRAPYARD support?
SCRAPYARD is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SCRAPYARD?
It is built and maintained by aetosset (@aetosset); the current version is v1.0.0.
More Skills