ClawHub

Remix Agent Publish

v0.1.0

Build Remix games for remix.gg with the server-api v1 agents REST API and Farcade game SDK requirements.

0· 1k·3 current·3 all-time
by@chuckstock
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (publish Remix games via the agents REST API and Farcade SDK) matches the content of the docs. However the package metadata declares no required credentials or env vars yet the snippets and authentication guide clearly expect a server-side API key (process.env.REMIX_API_KEY / Authorization: Bearer <api_key>). That mismatch is disproportionate and incoherent: a publishing skill legitimately needs an API key and should declare it. Additionally, some local docs claim "no write endpoints for game metadata or assets in this surface" while other docs and snippets show POST /v1/agents/games and POST .../versions/{versionId}/code (write operations), which is a contradictory capability statement.
!
Instruction Scope
Runtime instructions are generally scoped to fetching the OpenAPI spec, calling api.remix.gg, and producing single-file HTML with the Farcade SDK. They do not ask for arbitrary system files or unrelated credentials. However the docs internally contradict each other about which API routes are available (read-only vs. create/update flows). The SKILL also lists repository files (apps/server-api/...) as 'source of truth' which are internal code paths the agent cannot access; this is misleading and could confuse agents into looking for unavailable local resources. Overall the instruction set is mostly constrained to the stated purpose but contains contradictions and misleading references.
Install Mechanism
This is instruction-only with no install spec and no code to write to disk; that's the lowest-risk install mechanism and is consistent with the content.
!
Credentials
The skill's examples and authentication doc instruct use of a bearer API key (Authorization: Bearer <api_key>) and show process.env.REMIX_API_KEY in TypeScript snippets, but the registry metadata lists no required environment variables or primary credential. That omission is a coherence/white-space problem: a publishing skill legitimately needs the Remix API key and should declare it explicitly. There are no other unrelated credential requests, which is appropriate.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not attempt to modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
What to consider before installing
This skill looks like a focused publishing helper for remix.gg, but a few inconsistencies need attention before you install or use it: - API key missing from metadata: The documentation and code snippets expect a server-side Remix API key (Authorization: Bearer <api_key> / process.env.REMIX_API_KEY), but the skill metadata does not declare any required environment variables or primary credential. Treat this as a red flag — confirm that any agent using the skill will obtain and store the API key in a secure server-side secret manager (not client-side) and that the skill's manifest is updated to declare the credential. - Conflicting API claims: Some documents say agent REST is read-only for certain surfaces, while other docs and examples call POST endpoints (create game and upload code). Before running, fetch the OpenAPI spec at https://api.remix.gg/docs/json (as the skill itself recommends) and rely on that for exact routes and allowed operations. - Misleading 'source of truth' references: The SKILL references internal repository paths (apps/server-api/...) that are not available to an external agent. Do not assume the agent can access those paths; instead use the public OpenAPI docs at api.remix.gg. - External script inclusion: The skill recommends embedding the Farcade SDK via cdn.jsdelivr.net. This is expected for Remix single-file uploads, but be aware that including third-party CDN scripts has supply-chain risks; prefer pinned versions and verify the version matches Remix validation requirements. What to ask/verify before installing: - Request the skill owner add REMIX_API_KEY (or equivalent) to requires.env/primary credential in the registry manifest. - Confirm which POST endpoints are actually permitted by the agent API (use the OpenAPI JSON). If the skill performs writes, ensure your API key has least privilege and that you understand what actions the key allows. - Ensure the agent will store the API key in a secure, server-side secret store and will not log or expose it in client-side code. If these issues are resolved (manifest updated, docs made consistent, and you confirm the OpenAPI contract), the skill's behavior appears coherent with its purpose. If the owner cannot or will not reconcile these inconsistencies, treat it as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk9752zyd6f1x29hhxtdmkc372580xyzm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments