Epic Free Games
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is open about automating Epic game claims, but it uses persistent login cookies, scheduled browser automation, and bot-detection avoidance guidance to place account orders automatically.
Review this skill carefully before installing. It is not just a helper script: it can keep an Epic session, run automatically, and place $0 orders on your account. Use a sandbox if possible, protect epic_auth.json, avoid the anti-detection guidance, and do not enable cron unless you accept the account and terms-of-service risks.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It could claim unwanted items or trigger Epic account enforcement, especially if the page changes or the automation clicks the wrong order button.
The skill is designed to automatically complete an account purchase/claim flow, which mutates the user's Epic account and may be hard to reverse.
completes the full claim process (Get → Place Order → Confirm)
Use only if you accept the account risk. Prefer headed/manual runs, add an explicit confirmation before placing orders, and verify the item and $0 price before confirmation.
Using anti-detection browser settings against a third-party store may violate site rules and increase the chance of account challenges or suspension.
The documentation includes a bot-detection avoidance browser flag in the context of Cloudflare verification handling.
Cloudflare 验证绕过 ... --args "--disable-blink-features=AutomationControlled"
Avoid bypass/anti-detection options unless you fully understand the consequences. Handle verification manually and comply with the service's terms.
Anyone with access to the saved auth file may be able to reuse the Epic login session.
The skill saves Epic browser session state locally, which can act like account credentials if copied or stolen.
Persistent Login - Login once, works forever (saves cookies) ... The auth file contains sensitive credentials
Keep epic_auth.json private, do not commit or share it, and consider running the skill in a separate sandbox or VM.
If enabled, the automation may continue acting on the Epic account even when the user is not watching.
The skill documents recurring scheduled execution, which can keep performing account actions after the initial setup.
Cron Support / 定时任务支持 - Auto-claim every Thursday
Only add the cron job deliberately, monitor its output, and remove it if you no longer want automated claims.
A changed or compromised dependency could affect what the automation does in the browser session.
The skill depends on an external globally installed browser automation package that is not pinned in the artifacts.
npm install -g agent-browser agent-browser install
Install agent-browser from a trusted source, review the installed version, and consider pinning or sandboxing the dependency.