ClawHub

Steamcommunity

Security checks across malware telemetry and agentic risk

Overview

This Steam skill is coherent and not malicious, but it deserves Review because it asks for live Steam credentials and provides trade-changing commands without strong safety guardrails.

Install only if you are comfortable giving the agent access to your authenticated Steam session and trade authority. Use a trusted temporary shell, avoid committing or logging cookies or API keys, prefer read-only inventory commands unless you intentionally need trading, and manually verify every partner, token, asset ID, and item list before running send or accept commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs users to extract highly sensitive Steam authentication material, including session cookies and API keys, and reuse them in command-line requests without any security warning or handling guidance. Those secrets can enable account takeover-like actions for Steam trading functions if exposed in shell history, logs, screenshots, or shared terminals, so the omission materially increases risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The trade-offer sections document how to send gifts, accept offers, cancel offers, and otherwise perform account-affecting actions, but they do so without clear warnings that these operations can transfer valuable inventory items or trigger irreversible state changes. In this context, the skill is more dangerous because it combines authenticated actions with concrete examples that make item transfer straightforward for an operator or another system invoking the skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal