Game Account Valuation
PassAudited by ClawScan on May 13, 2026.
Overview
The skill’s described behavior matches game account valuation, but it relies on a missing/unreviewed helper binary and asks users to share game-account attributes or complete a QR verification with YY.
No malicious behavior is evident in the provided artifacts. Before installing, note that the reviewed package does not include the helper binary it describes, so verify the source and behavior of any binary you run. Use the QR scan only for the account you want valued, and share only the attributes needed for the valuation.
Publisher note
This skill queries game account valuation prices via YY's official Game Market API (https://gamemarket.yy.com). Key security context: 1. Authentication: The pre-compiled binary (scripts/game-valuation) embeds a read-only API signing key (appId + MD5 secret) for frontend-only signature verification. This is equivalent to the signing logic used in the YY Game Market web frontend (mall.yy.com). No user login credentials, OAuth tokens, or session cookies are required or collected. 2. Network: All API requests are sent exclusively to https://gamemarket.yy.com. The skill never connects to any other endpoint. API calls are limited to read-only valuation queries (GET) and valuation submission (POST with game attributes only). 3. Data handling: Valuation requests only contain game attributes (server region, real-name status, anti-addiction status). No sensitive personal information is transmitted. Scan QR codes are saved to a local temp directory and automatically deleted after successful scan or timeout. 4. User interaction: For games requiring QR code scan verification (和平精英, 三角洲行动), the scan command handles the full flow (save QR → open → poll → execute → cleanup) in a single call. For 王者荣耀 (authType=0), no scan is needed and execute is called directly after commit. 5. Output filtering: Game nicknames (nickname field) are explicitly excluded from displayed results to protect user privacy. 6. No write operations: The skill only reads valuation data. It does not create, modify, or delete any account or transaction data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a helper binary is obtained from another source, the user would be trusting code that was not present for this review; the current package may also fail because the referenced helper is absent.
The skill relies on a precompiled local helper with an embedded signing key, while the reviewed artifact set contains no such code file. This is a provenance and verifiability gap, not evidence of malicious behavior by itself.
path: scripts/game-valuation ... "估值 API 交互脚本(预编译二进制),内置只读 API 签名密钥"
Install only from a trusted source, verify the helper binary or source code before use, and ask the publisher to include auditable code or a verifiable binary in the reviewed package.
Scanning the QR code may authorize YY’s service to read game account information needed for the valuation.
For some games, scanning the QR code is an account verification flow that allows the valuation service to fetch account valuation data. This is disclosed and aligned with the stated valuation purpose.
scan 命令会自动:... 后台轮询扫码结果(每 5 秒,最多 10 分钟)... 扫码成功后自动调用 execute 执行估值
Only scan QR codes for accounts you intend to value, verify that the QR flow is from YY’s official service, and do not scan if you are unsure.
Game account details such as server region, real-name status, anti-addiction status, and related valuation attributes may be shared with YY’s valuation API.
The skill discloses an external provider data flow and says selected game/account attributes are sent to YY’s API. The destination and purpose are clear, but the data still leaves the local environment.
- 所有 API 请求仅发送至 `https://gamemarket.yy.com` ... - 估值请求仅包含游戏属性(区服、实名情况等)
Provide only the requested valuation attributes, avoid adding extra personal information, and use the skill only if you are comfortable sharing those details with YY.