Game Account Valuation
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: game-valuation-skill Version: 1.0.7 The skill relies on a pre-compiled binary (scripts/game-valuation) to handle API interactions and QR code processing, which is opaque and cannot be audited for malicious logic. While the stated purpose of game account valuation on the legitimate 'gamemarket.yy.com' domain appears benign, the binary's ability to manage authentication tokens and trigger QR code scans for 'Peacekeeper Elite' and 'Delta Force' introduces a risk of session hijacking or unauthorized account access if the binary were compromised or intentionally malicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a helper binary is obtained from another source, the user would be trusting code that was not present for this review; the current package may also fail because the referenced helper is absent.
The skill relies on a precompiled local helper with an embedded signing key, while the reviewed artifact set contains no such code file. This is a provenance and verifiability gap, not evidence of malicious behavior by itself.
path: scripts/game-valuation ... "估值 API 交互脚本(预编译二进制),内置只读 API 签名密钥"
Install only from a trusted source, verify the helper binary or source code before use, and ask the publisher to include auditable code or a verifiable binary in the reviewed package.
Scanning the QR code may authorize YY’s service to read game account information needed for the valuation.
For some games, scanning the QR code is an account verification flow that allows the valuation service to fetch account valuation data. This is disclosed and aligned with the stated valuation purpose.
scan 命令会自动:... 后台轮询扫码结果(每 5 秒,最多 10 分钟)... 扫码成功后自动调用 execute 执行估值
Only scan QR codes for accounts you intend to value, verify that the QR flow is from YY’s official service, and do not scan if you are unsure.
Game account details such as server region, real-name status, anti-addiction status, and related valuation attributes may be shared with YY’s valuation API.
The skill discloses an external provider data flow and says selected game/account attributes are sent to YY’s API. The destination and purpose are clear, but the data still leaves the local environment.
- 所有 API 请求仅发送至 `https://gamemarket.yy.com` ... - 估值请求仅包含游戏属性(区服、实名情况等)
Provide only the requested valuation attributes, avoid adding extra personal information, and use the skill only if you are comfortable sharing those details with YY.