game-market
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: game-market-skill Version: 1.0.0 The skill provides functionality to query game trading listings from the YY marketplace (mall.yy.com). It uses Python snippets in SKILL.md to fetch categories and search results from gamemarket.yy.com using a self-contained MD5 signing mechanism with hardcoded API credentials. The behavior is transparent, aligns with the stated purpose, and shows no signs of data exfiltration, malicious execution, or unauthorized system access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may run Python in the agent environment and send the selected game/category query to YY's marketplace API.
The skill's normal operation relies on executing inline Python that makes external HTTPS requests. This is disclosed and central to querying listings, but it is still local code execution.
Run this Python snippet ... resp = requests.get(BASE + uri, params=params, headers=sign(uri), timeout=15)
Use it only in an environment where running simple network-query snippets is acceptable, and avoid entering unrelated sensitive information into marketplace searches.
The skill does not require your YY login, but its requests are made using embedded marketplace signing values rather than a user-provided credential.
The skill embeds signing material for YY marketplace API requests. It is not a user credential and is disclosed as a front-end signature, but it represents delegated API identity for the marketplace query flow.
APPID = "market_app" SECRET = "ixlOJVDwdOm5rGdudhEywwK6" HDID = "38e6a82f5f724517d6cbe82cde56e846690afcb0"
Treat the skill as using YY's public/front-end API behavior; do not add personal account tokens or cookies unless the skill is updated to clearly scope and protect them.
Confirming the prompt may open an external marketplace page where you could choose to log in, buy, or sell outside the chat.
The buy/sell flow can launch a browser to the YY marketplace. The artifacts require user confirmation and do not instruct the agent to complete purchases or sales.
If user confirms, run: open "https://mall.yy.com/?pageId=20000"
Confirm only when you intend to visit YY, verify the URL and item details yourself, and complete any transaction manually on the website.