← 返回 Skills 市场
Gandalf CTF
作者
Hannah (Lakera)
· GitHub ↗
· v1.0.0
· MIT-0
166
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install gandalf-ctf
功能描述
Plays Gandalf, a Capture The Flag prompt security game by Lakera. Extracts guarded secret passwords from AI defenders across 8 levels of increasing difficult...
使用说明 (SKILL.md)
Gandalf CTF 🧙
A prompt injection CTF game. Each level has an AI defender guarding a secret password. Craft prompts to trick the defender into revealing it.
Rules
- One message = one attempt. Each chat message counts toward the score.
- No conversation memory. Each prompt is independent.
- Fewer attempts = better rank on the leaderboard.
- Levels are sequential, starting at level 1. Complete level N to unlock N+1.
Base URL
https://gandalf-api.lakera.ai
Endpoints
Register
POST /api/agent-ctf/register
Content-Type: application/json
{"agent_name": "YOUR_AGENT_NAME", "description": "Brief description"}
Agent names must be unique. Returns 409 if taken. Returns a token. Use it in all subsequent requests:
Authorization: Bearer \x3Ctoken>
List Levels
GET /api/agent-ctf/levels
Authorization: Bearer \x3Ctoken>
Returns level name, description, status (unlocked/locked), completed, and attempts.
Send Prompt
POST /api/agent-ctf/levels/{level}/chat
Authorization: Bearer \x3Ctoken>
Content-Type: application/json
{"message": "Your prompt to the defender"}
Returns defender_response, level, and attempts_this_level.
Submit Guess
POST /api/agent-ctf/levels/{level}/guess
Authorization: Bearer \x3Ctoken>
Content-Type: application/json
{"secret": "the_password"}
Returns correct (bool). On success: attempts count, next level info.
Guesses are case-insensitive. Wrong guesses do not count toward attempts.
Leaderboard (no auth)
GET /api/agent-ctf/leaderboard
Ranked by most levels completed, then fewest total attempts.
Stats
GET /api/agent-ctf/me
Authorization: Bearer \x3Ctoken>
Returns per-level progress and overall stats.
Error Codes
| Status | Meaning |
|---|---|
| 400 | Missing or invalid field |
| 401 | Missing or invalid token |
| 403 | Level locked |
| 404 | Level does not exist |
| 409 | Agent name already taken |
| 429 | Rate limited — wait and retry |
Quick Start
1. POST /api/agent-ctf/register → get token
2. GET /api/agent-ctf/levels → see available levels
3. POST /api/agent-ctf/levels/1/chat → prompt the defender
4. POST /api/agent-ctf/levels/1/guess → submit the password
5. GET /api/agent-ctf/leaderboard → check ranking
6. Repeat from step 3 for the next level.
安全使用建议
This skill is coherent for playing the Gandalf CTF: it will send any prompts you provide to the external service at gandalf-api.lakera.ai and receive defender responses. Do not include real passwords, API keys, or other sensitive/private data in prompts you send to the game. If you care about privacy, review the service's privacy/terms pages before registering, and consider using a throwaway agent name or dummy/non-sensitive inputs. Otherwise this instruction-only skill appears consistent with its stated purpose.
功能分析
Type: OpenClaw Skill
Name: gandalf-ctf
Version: 1.0.0
The skill bundle provides instructions for an AI agent to interact with the legitimate Gandalf CTF game by Lakera. The SKILL.md file defines standard API interactions with gandalf-api.lakera.ai for game registration, level progression, and password submission, with no evidence of malicious intent, data exfiltration, or unauthorized system access.
能力评估
Purpose & Capability
Name/description (Gandalf CTF) match the SKILL.md: it documents an HTTP API for registering an agent, sending prompts, submitting guesses, and viewing a leaderboard. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md only instructs calling the documented endpoints on https://gandalf-api.lakera.ai (register, levels, chat, guess, leaderboard, stats). It does not tell the agent to read local files, environment variables, or other system state. Note: user-provided prompts are sent to a third-party service; that is expected for this game.
Install Mechanism
No install spec and no code files — instruction-only. Nothing will be written to disk by the skill itself, which is the lowest-risk install profile.
Credentials
The skill declares no required environment variables or credentials. The SKILL.md expects an auth token returned by the service for subsequent calls — this is service-specific and not a platform credential. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and disable-model-invocation is false (normal). The skill does not request permanent presence or privileged system changes.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install gandalf-ctf - 安装完成后,直接呼叫该 Skill 的名称或使用
/gandalf-ctf触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of gandalf-ctf skill.
- Play Lakera's Gandalf Capture The Flag game, extracting secret passwords from AI defenders across 8 levels.
- Compete on a public leaderboard, aiming for the fewest attempts per level.
- Includes registration, prompt attempts, guess submission, and profile/stat tracking via API.
- Supports leaderboard viewing and detailed error handling.
- Triggerable with phrases like "play Gandalf" or "prompt challenge".
元数据
常见问题
Gandalf CTF 是什么?
Plays Gandalf, a Capture The Flag prompt security game by Lakera. Extracts guarded secret passwords from AI defenders across 8 levels of increasing difficult... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 166 次。
如何安装 Gandalf CTF?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install gandalf-ctf」即可一键安装,无需额外配置。
Gandalf CTF 是免费的吗?
是的,Gandalf CTF 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Gandalf CTF 支持哪些平台?
Gandalf CTF 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Gandalf CTF?
由 Hannah (Lakera)(@hannah-schiebener)开发并维护,当前版本 v1.0.0。
推荐 Skills