ClawHub

CSFloat

v1.0.0

Queries csfloat.com for data on skins

0· 996·2 current·2 all-time
by@bluesyparty-src
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (querying csfloat.com for skins) lines up with requiring jq and an API key. Requiring only CSFLOAT_API_KEY is proportional to the stated purpose.
!
Instruction Scope
The SKILL.md repeatedly contains mistakes: it says "hit the Trello REST API" (wrong service), the Create-listing example uses a malformed header (-H "Authorization: $LISTING_ID; Content-Type: application/json") and places the wrong variable in Authorization. These are copy/paste and formatting errors that could lead to incorrect requests or accidental leaks if a user supplies the wrong env var.
Install Mechanism
Instruction-only skill with no install spec — lowest risk. The only runtime dependency is jq, which is reasonable for the provided jq examples.
Credentials
Only CSFLOAT_API_KEY is declared, which is appropriate. However the instructions reference $LISTING_ID in Authorization for the POST (and use $LISTING_ID as a path variable elsewhere) without declaring it — this is inconsistent and could cause misuse if a user sets unexpected env vars.
Persistence & Privilege
Skill is not always-included, does not request persistent privileges, and does not modify other skills or system settings.
What to consider before installing
The skill appears to be a simple API wrapper but the SKILL.md has clear copy/paste and header formatting errors. Before installing or using it: (1) verify the API and header format in the official docs (Authorization may require a 'Bearer ' prefix or a specific header format); (2) fix the Create-listing curl to use -H "Authorization: $CSFLOAT_API_KEY" and a separate -H "Content-Type: application/json" and ensure the POST body is correct; (3) confirm $LISTING_ID is only a command-specific placeholder (not an env var) and will not be used for auth; (4) avoid running commands that echo secrets into logs or public terminals, and limit the API key scope if csfloat supports scoped keys; (5) ask the publisher to correct the SKILL.md (remove the Trello reference and fix examples) — if they cannot or will not, treat the skill as untrustworthy and do not provide your API key.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fn6cb20bv1m1kj544epsw7180ray7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

𝒇 Clawdis
Binsjq
EnvCSFLOAT_API_KEY

Comments