Steamcommunity
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Steam integration, but it asks for live Steam session cookies and can send trade offers that may transfer valuable inventory items.
Review carefully before installing. This skill may be useful for Steam inventory and trading tasks, but only provide Steam cookies/API keys in a trusted environment and require manual confirmation before any trade offer is sent.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any command with access to these environment variables could act as the logged-in Steam user for supported Steam Community operations.
The skill asks the user to extract and store live Steam browser session cookies, which can authorize account actions beyond simple public inventory lookup.
Copy the value of the `steamLoginSecure` cookie ... Copy the value of the `sessionid` cookie ... export STEAM_COOKIES="steamLoginSecure=your-cookie-value" ... export STEAM_SESSION_ID="your-sessionid-cookie-value"
Only use this in a trusted local environment, avoid sharing logs or shells that contain these variables, and revoke/rotate the Steam session if exposed.
A mistaken or over-permissive agent action could send, request, or manage Steam trades involving items with real monetary or account value.
The skill documents authenticated trade-offer operations that can transfer Steam inventory items, but the provided visible instructions do not show explicit safety gates before mutation.
Trade offers require an authenticated session (cookies) and a Steam Web API key ... This sends items from your inventory to another user
Require explicit user confirmation for every trade offer, verify partner IDs and item asset IDs manually, and avoid granting this skill autonomous authority to send trades.