ClawHub

Steamcommunity

v1.0.1

Retrieves Steam inventory data and manages trade offers on steamcommunity.com

0· 884·2 current·2 all-time
by@bluesyparty-src·duplicate of @bluesyparty-src/steam-community-inventory
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the required assets: the skill needs SteamID, Steam Web API key, and authenticated session cookies to read private inventories and to create trade offers. Required binaries (curl and jq) are appropriate for the curl+jq usage shown.
Instruction Scope
SKILL.md is instruction-only and explicitly shows curl commands against steamcommunity.com using the provided cookies, sessionid, and API key. It does not instruct the agent to read unrelated files or credentials. It does, however, tell the user to extract sensitive cookies from their browser and export them as env vars so the agent can authenticate — this is necessary for the declared trade-offer functionality but expands the agent's power to act on your behalf (e.g., send trades).
Install Mechanism
No install spec and no code files; lowest-risk install mechanism. The skill relies on existing system binaries (curl, jq) which is consistent with the documented usage.
Credentials
The required env vars (STEAM_ID, STEAM_API_KEY, STEAM_COOKIES, STEAM_SESSION_ID) are directly relevant to the skill's purpose. They are highly sensitive (cookies and sessionid grant authenticated access) but their presence is justified by the need to access private inventories and send trade offers.
Persistence & Privilege
always is false and the skill does not request system-wide config or modify other skills. Model invocation is allowed (platform default), which combined with the auth material would permit autonomous actions, but this is expected for usable trade-offer automation.
Assessment
This skill legitimately needs your Steam ID, Web API key, and session cookies to read private inventories and send trade offers — those cookies/sessionid are effectively keys to act as your account on steamcommunity.com. Only provide them if you trust the skill's source. Prefer these precautions: 1) Use an expendable/secondary Steam account (not your main account) when testing. 2) Do not paste long-lived cookies into long-term files or public logs; provide them only in ephemeral environment variables and revoke them afterward (log out or change password to invalidate). 3) Consider limiting the skill to read-only actions (omit STEAM_COOKIES/STEAM_SESSION_ID) if you only need public inventory data. 4) After use, invalidate the session (log out) and rotate your API key if you suspect misuse. 5) If you want more assurance, request a code review or a vendor/source identity before trusting trade-capable automation.

Like a lobster shell, security has layers — review code before you run it.

latestvk972v9kxzcxfgrt1seznhep4zd811h4w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binsjq, curl
EnvSTEAM_ID, STEAM_COOKIES, STEAM_API_KEY, STEAM_SESSION_ID

Comments