Remix Agent Publish
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the workflow means giving an agent/API client the ability to act on Remix resources owned by the API-key account.
The skill requires a Remix account API key, which delegates account authority to the agent or API client. The same file also gives appropriate storage, revocation, and rotation guidance.
Remix server API uses bearer API keys generated from Remix account settings. Supported auth header: Authorization: Bearer <api_key> (required)
Use a dedicated or least-privileged key if available, keep it in a server-side secret manager, revoke or rotate it when no longer needed, and avoid placing it in generated browser code or chat transcripts.
An agent following the skill can create draft games and replace version code, which may affect work in a Remix account even if it does not submit or delete games.
The recommended workflow includes mutating REST calls that create a game draft and upload code. This is purpose-aligned and documented, but it can change the user's Remix account state.
4. `POST /v1/agents/games` ... 9. `POST /v1/agents/games/{gameId}/versions/{versionId}/code`Confirm before allowing POST actions, review generated game code before upload, and use the documented validation/readiness checks before relying on the result.
Generated games depend on the availability and integrity of the external SDK/CDN at runtime.
Generated games are instructed to load an external Farcade SDK script from a CDN. The dependency is disclosed, version-pinned, and central to the Remix/Farcade purpose, but it is still an external runtime dependency.
<script src="https://cdn.jsdelivr.net/npm/@farcade/game-sdk@0.3.0/dist/index.min.js"></script>
Use the documented pinned SDK version, trust the SDK/CDN source before publishing, and consider integrity controls or platform-approved hosting options if available.