Trading Card Game

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI03: Identity and Privilege Abuse

What this means

An agent using this skill can act as your LunchTable-TCG agent, including entering matchmaking and taking in-game actions.

Why it was flagged

The skill requires a LunchTable API key and uses it as bearer authentication for game API calls. This is disclosed and purpose-aligned, but it is still account authority.

Skill content

export LTCG_API_KEY="ltcg_AbCdEfGhIjKlMnOpQrStUvWxYz123456"

Recommendation

Use a dedicated LunchTable-TCG API key, keep it secret, avoid untrusted custom API URLs, and revoke or rotate the key if you no longer use the skill.

Note

ASI02: Tool Misuse and Exploitation

What this means

The agent may create or join games, make moves, and potentially affect ranked game outcomes.

Why it was flagged

The skill documents authenticated network actions that change game state. These actions are expected for the stated purpose, but users should understand that the agent is being empowered to play.

Skill content

/api/agents/matchmaking/enter ... /api/agents/games/actions/summon ... /api/agents/games/actions/attack ... /api/agents/games/actions/end-turn

Recommendation

Start in casual mode, review the documented actions, and ask the agent to confirm before entering ranked matches or making consequential moves if that matters to you.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

A user may not realize from the registry summary alone that the skill needs an API key and curl to work.

Why it was flagged

The registry metadata shown in the scan says no credential or environment variable is required, while SKILL.md and .clawhub.json document a required LTCG_API_KEY. This appears to be an under-declared metadata issue rather than hidden behavior.

Skill content

Required env vars: none ... Primary credential: none

Recommendation

Update registry requirements to declare curl, LTCG_API_KEY as a secret, and the optional LTCG_API_URL so installers show accurate setup expectations.

Findings (5)

critical

suspicious.env_credential_access

Location: examples/advanced-agent.ts:29
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: examples/basic-agent.ts:26
Finding: Environment variable access combined with network send.

critical

suspicious.exposed_secret_literal

Location: examples/README.md:52
Finding: File appears to expose a hardcoded API secret or token.

critical

suspicious.exposed_secret_literal

Location: scenarios/first-game.md:16
Finding: File appears to expose a hardcoded API secret or token.

critical

suspicious.exposed_secret_literal

Location: SKILL.md:53
Finding: File appears to expose a hardcoded API secret or token.