ClawHub

Steam Community Inventory

v1.0.1

Retrieves Steam inventory data for a user from steamcommunity.com

0· 1k·0 current·0 all-time
by@bluesyparty-src
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (fetch Steam inventory) match the declared requirements: curl and jq are appropriate, and STEAM_ID + STEAM_COOKIES are the credentials needed to retrieve a user's private inventory from steamcommunity.com.
Instruction Scope
SKILL.md only instructs the agent to run curl against steamcommunity.com with a Cookie header and to use jq to parse JSON. This stays within the stated purpose. Note that it explicitly asks the user to export a steamLoginSecure cookie value — this is a web session token and is sensitive; the instructions do not ask for any unrelated files or other environment variables.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes risk because nothing is downloaded or written to disk by the skill package itself.
Credentials
Only STEAM_ID and STEAM_COOKIES are required, which is proportional to the task. However STEAM_COOKIES (steamLoginSecure) is effectively an authentication token for your Steam session and grants access to account-scoped resources; treat it as a high-sensitivity secret.
Persistence & Privilege
always is false (good). disable-model-invocation is false (default) so the agent may call this skill autonomously if permitted — standard but relevant because the skill consumes a high-value session cookie; consider restricting autonomous use or not storing the cookie in shared/remote environments.
Assessment
This skill is coherent and does what it says: it shows how to curl the Steam inventory endpoint and parse JSON with jq. Before using it: (1) be aware that STEAM_COOKIES = steamLoginSecure is a session token — anyone who obtains it can act as your logged-in web session until it is invalidated; never paste it into public chat or third-party sites. (2) Prefer running the curl commands locally on your own machine rather than storing the cookie in a shared CI or cloud environment. (3) If you doubt the skill's origin, you can manually run the provided curl commands instead of letting an agent run them. (4) If the cookie might be exposed, log out of Steam or otherwise invalidate the session (change password / revoke sessions). (5) If you want to avoid providing a session cookie, only public inventories can be retrieved without authentication and may be limited by rate limits.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b27vtzrhmbhxkzztqfezhhh80r4ah

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binsjq, curl
EnvSTEAM_ID, STEAM_COOKIES

Comments