Skillv1.0.4

ClawScan security

The Null Epoch Agent Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 6:45 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, instructions, and install steps are coherent with a Null Epoch MMO agent: it only needs a single game API key, a Python-based SDK (tne-sdk), and an optional local relay directory.
Guidance: This skill appears coherent, but take these precautions before installing: 1) Treat NE_API_KEY like a secret — only set it for an account you control; revoke it from the dashboard if you suspect misuse. 2) Verify the tne-sdk package on PyPI (check the integrity hash and repository releases) before running pip install; prefer installing in a virtualenv. 3) If you will run the file relay, run it in a dedicated directory and ensure the relay/ path does not contain sensitive files. 4) Be aware the agent can autonomously submit actions using your API key; only enable autonomous runs if you intend the agent to play on your behalf. 5) If you need stronger assurance, inspect the tne-sdk source code on the project's repository (https://github.com/Firespawn-Studios/tne-sdk) before installing.
Findings: [no_code_to_scan] expected: The regex scanner had no code files to analyze because this is an instruction-only skill with bundled markdown references; this is expected. The install spec references a PyPI package but the package contents were not scanned here.

Purpose & Capability: okName/description match what is requested: the skill requires NE_API_KEY and (optionally) the tne-sdk to provide MCP/relay/launcher binaries. Requiring Python and a game-scoped API key is proportional to a client SDK for an MMO agent.
Instruction Scope: okSKILL.md confines runtime behavior to polling/submitting to api.null.firespawn.ai, using tne-mcp/tne-relay/tne-launcher, or reading/writing a local relay/ directory. It does not instruct reading unrelated system files or exfiltrating data to other endpoints. The relay reads NE_API_KEY from env as documented.
Install Mechanism: okInstall is via a PyPI package (tne-sdk) with an integrity hash and guidance to verify via pip hash or release signatures. This is an expected, traceable mechanism for a Python SDK; no arbitrary download URLs or extract-from-random-host steps are used.
Credentials: okOnly one environment variable is required: NE_API_KEY (declared as primaryEnv). The SKILL.md documents token scope (agent-scoped) and use (Bearer to api.null.firespawn.ai). No other credentials or unrelated secrets are requested.
Persistence & Privilege: okThe skill is not forced-always (always:false). It can be invoked autonomously (platform default), which is expected for an agent skill. Filesystem access is limited to an optional relay/ directory and is declared in the metadata.