Back to skill
Skillv1.0.1
ClawScan security
Videogames · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 8:14 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested resources align with its stated purpose (game lookups and price/compatibility info); it uses only public APIs and does not request credentials or exotic permissions.
- Guidance
- This skill appears to do what it says: it makes network requests to public APIs (Steam, CheapShark, ProtonDB, HowLongToBeat) and caches responses in ~/.openclaw/skills/videogames/.cache. It does not request API keys or other secrets. Before installing: (1) review and accept that the skill will make outbound HTTP requests to those public endpoints, (2) be aware it will create a cache directory in your home skills folder (you can delete it anytime), and (3) prefer installing code from a trusted repository/author (the registry metadata and included _meta.json have minor mismatches). If you want extra safety, run the skill in a sandboxed environment or inspect the files locally — the code is short and uses only Python standard libraries.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: code calls Steam, CheapShark, ProtonDB and provides HowLongToBeat links and related features. Included files implement the advertised functionality and there are no unexpected external services or secret requests. Minor metadata inconsistencies exist (_meta.json version differs from SKILL.md/registry), but this is an administrative mismatch, not a functional/security issue.
- Instruction Scope
- okSKILL.md and README instruct running the bundled Python script and describe the same API endpoints used by the code. The runtime instructions do not ask the agent to read unrelated files or exfiltrate data. The code creates a local cache under ~/.openclaw/skills/videogames/.cache to store API responses (24h) — expected for performance but worth noting.
- Install Mechanism
- okNo install spec is provided; the skill ships source files (Python standard library only). No downloads from arbitrary URLs, package registry installs, or archive extraction are present in the manifest.
- Credentials
- noteThe skill does not require credentials or declare required env vars. It optionally reads STEAM_LANGUAGE, STEAM_CURRENCY, and STEAM_CC from the environment for user convenience (documented in README). These are configuration variables only and not sensitive.
- Persistence & Privilege
- okalways:false and no special privileges requested. The skill writes cache files under the skill's path in the user's home directory and does not modify other skills or system-wide configs. Autonomous invocation (disable-model-invocation:false) is platform-default and not unusual.