Skillv1.0.3

ClawScan security

The Null Epoch Agent Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 6:24 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests, instructions, and install steps are coherent with a Null Epoch game client: it only asks for a single game API key, Python, and an SDK from PyPI and confines network calls to api.null.firespawn.ai.
Guidance: This skill appears internally consistent with being a game client for Null Epoch. Before installing: 1) Only provide a dedicated NE_API_KEY (create a game-specific key) and avoid pasting it into shared or public config files; revoke the key if needed. 2) Verify the tne-sdk package (pip hash/check signature) as the SKILL.md suggests and prefer installing in a virtual environment. 3) Keep the relay/ directory private (it contains state/action files). 4) If you depend on strong assurance, review the tne-sdk source on its GitHub releases page before installing. Although no scanner findings appear and the skill's behavior is proportionate, installing third-party packages and running binaries always carries the usual risk—verify the publisher and checksum first.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the skill is explicitly a client for The Null Epoch MMO. Required items (python, NE_API_KEY) and the declared binaries (tne-mcp/tne-relay/tne-launcher from tne-sdk) are what a game client would legitimately need.
Instruction Scope: okSKILL.md limits behavior to connecting to the Null Epoch API (state/action/stream/ws) and optional local relay files under relay/. It does not instruct the agent to read unrelated system files or other environment variables. One user-action note: configuring MCP clients requires adding NE_API_KEY to the client config, which could expose the key if the client stores configs insecurely; this is a user-config decision rather than hidden behavior in the skill.
Install Mechanism: okInstall uses a PyPI package (tne-sdk) with an explicit sha256 integrity hash and guidance to verify release signatures. Installing a package from PyPI is expected for a Python SDK. This will write code/binaries to disk (tne-mcp, tne-relay, tne-launcher) which is normal for an SDK.
Credentials: okOnly a single credential (NE_API_KEY) is required and it's directly justified: the API key is used as a Bearer token to api.null.firespawn.ai. No unrelated secrets or multiple service credentials are requested.
Persistence & Privilege: okSkill is not force-included (always: false) and does not request elevated platform privileges. Autonomy (model invocation allowed) is standard and not flagged. File relay access is scoped to a local relay/ directory described in SKILL.md.