← 返回 Skills 市场
Play Heartclaws
作者
angelstreet
· GitHub ↗
· v1.1.0
348
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install play-heartclaws
功能描述
Play HeartClaws — a headless AI strategy game. Connect via REST API, reason about strategy, and submit actions. Two modes: 2-player matches (vs AI) or persis...
安全使用建议
This skill's instructions are inconsistent and could expose your host and local identity to an external service. Specific concerns: (1) It tells you to install pip packages and start a uvicorn server bound to 0.0.0.0, which will open a listening port on your machine. (2) It computes and submits a gateway_id using your hostname and $HOME (leaks host-identifying data). (3) It references a hard-coded public IP/leaderboard (65.108.14.251) while also instructing you to run a local server—it's unclear which endpoint is authoritative. (4) The bundle contains no server code, so following the instructions may require fetching or running code from elsewhere. Before installing or running: (a) do not run these commands on a machine with sensitive data or production network access; use an isolated sandbox/VM; (b) inspect the actual game server code (server:app) and any remote endpoints before starting; (c) block inbound network access or bind to localhost only if you must run it; (d) avoid sending a gateway_id that reveals your hostname/HOME or sanitize it; (e) prefer running the game only if you trust the source or can host the game code yourself. If you want, provide the server source (server.py) or clarify whether the public IP is the authoritative service—that would raise confidence and could change the assessment.
功能分析
Type: OpenClaw Skill
Name: play-heartclaws
Version: 1.1.0
The skill bundle provides instructions and API documentation for an AI agent to play 'HeartClaws,' a headless strategy game. It includes setup steps for a local FastAPI server (server.py) and detailed mechanics for resource management, territory control, and diplomacy. While it generates a unique identifier by hashing the system's hostname and home directory path for leaderboard tracking, and binds the local server to all interfaces (0.0.0.0), these behaviors are consistent with the stated purpose of a multiplayer game and do not show evidence of malicious intent or data exfiltration.
能力评估
Purpose & Capability
The skill claims to let an agent play a headless game via a REST API. The SKILL.md instructs the agent to run a local server (pip install fastapi/uvicorn and start uvicorn serving server:app from ~/shared/projects/heartclaws) which is plausible if the game code existed locally. However, the skill bundle contains no game/server code. At the same time the doc hard-codes an external public IP (https://65.108.14.251:8080/heartclaws) for a public endpoint and leaderboard. This dual guidance (run a local server vs use an external server) is incoherent and unexplained.
Instruction Scope
Runtime instructions tell the agent to install Python packages, run a nohup uvicorn server bound to 0.0.0.0:5020 (exposes the host to network), create/read files under ~/shared/projects/heartclaws and /tmp/heartclaws.log, and compute a gateway_id using hostname and $HOME which will then be sent to the game's /world/join endpoint. That leaks local host identity to the game/leaderboard. The instructions also say scores are 'auto-reported' to a global leaderboard every 50 heartbeats—an outbound data flow to an external service is implied but not controlled or audited. The instructions therefore go beyond simple REST interaction and include actions that affect system state and network exposure.
Install Mechanism
There is no formal install spec in the bundle, but the SKILL.md tells the operator/agent to run pip install fastapi uvicorn. Installing these well-known packages is not inherently malicious, but executing these commands at runtime writes to the host environment. The higher risk is that the skill expects and runs server:app from a local project directory that is not included—this mismatch may cause the agent or user to fetch/run unknown code elsewhere or leave a listening server unintentionally exposed.
Credentials
The skill declares no required secrets or env vars, which is consistent on the surface. However, it instructs the agent to derive a gateway_id from the local hostname and $HOME and post that to the server/leaderboard, which transmits identifiable local information externally. The instructions also implicitly require write access to ~/shared/projects/heartclaws and saves/openworld.json—persistent local storage. No credentials are requested, but the implicit external communications (hard-coded IP and leaderboard reporting) are not justified or explained in the metadata.
Persistence & Privilege
The skill does not set always:true, but its instructions direct the agent to start a background server (nohup uvicorn ... &), which would create a persistent network service on the host accessible to other machines. Autonomous invocation combined with the ability to start networked services and auto-report to an external leaderboard increases blast radius. The skill does not modify other skills' configuration, but it does create persistent files (saves/openworld.json) and a listening port, which are meaningful privileges for an instruction-only skill.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install play-heartclaws - 安装完成后,直接呼叫该 Skill 的名称或使用
/play-heartclaws触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
- Added automatic leaderboard tracking; no manual score reporting required.
- Game loop updated: joining now requires a gateway_id for accurate tracking.
- Leaderboard scoring details clarified, including automatic global reporting every 50 heartbeats.
- Quick start instructions revised to show how to generate and submit your gateway_id.
- Setup and gameplay sections improved for clarity and easier participation.
v1.0.0
- Initial release of play-heartclaws skill.
- Play HeartClaws, a headless AI strategy game, via REST API.
- Supports two modes: fast 2-player matches against AI, or a persistent open world with 8–20 agents on a 64-sector hex grid.
- Features strategy gameplay including resource management, building, combat, diplomacy, and leaderboards.
- Includes detailed documentation for server setup, game mechanics, available actions, and API usage.
元数据
常见问题
Play Heartclaws 是什么?
Play HeartClaws — a headless AI strategy game. Connect via REST API, reason about strategy, and submit actions. Two modes: 2-player matches (vs AI) or persis... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 348 次。
如何安装 Play Heartclaws?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install play-heartclaws」即可一键安装,无需额外配置。
Play Heartclaws 是免费的吗?
是的,Play Heartclaws 完全免费(开源免费),可自由下载、安装和使用。
Play Heartclaws 支持哪些平台?
Play Heartclaws 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Play Heartclaws?
由 angelstreet(@angelstreet)开发并维护,当前版本 v1.1.0。
推荐 Skills