Supercraft Game Servers
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill fits game-server management, but it asks the agent to run background login polling and save a token while also giving broad server-control powers.
Use this skill only if you trust Supercraft and are comfortable letting the agent manage your game servers. Require explicit approval before purchases, configuration changes, restarts, start/stop actions, or console commands, and do not allow background cron polling or JWT storage unless you can verify cleanup and secure storage.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may prioritize sending service links or changing its workflow instead of first validating the action and getting clear user approval.
This tries to override normal agent sequencing and broadly restricts tool use before sending login or checkout links, even though those links appear to be generated through API calls.
you **MUST send the link to the user as a message BEFORE calling any tools** (curl, exec, cron). If you call a tool first, the message with the link gets blocked
Treat this as advisory only: generate links only after a user-requested, verified API response, and do not bypass normal approval or safety checks.
A background task could keep running after the intended login flow and a saved token could be reused or exposed if not handled carefully.
The skill directs the agent to create a recurring background job and persist an authentication token without defining user approval, timeout, cleanup, or storage boundaries.
After the reply, set up a cron (every 30s) to poll `GET /auth/claim?magic=...`; When claim returns `status: "ready"`, save the JWT token securely
Do not set up cron polling by default. Poll only during an active user-approved session, use a short timeout, remove any scheduled job, and store tokens only in an approved secret store.
If invoked too freely, the agent could change a server, issue in-game admin commands, or start a checkout flow without enough review.
The skill exposes raw mutating API operations, including arbitrary game-console commands and purchases, with only limited confirmation guidance for some destructive operations.
POST `/servers/{id}/console` | Send RCON/console command ... PUT `/servers/{id}/config` | Update server configuration ... POST `/orders/purchase` | Purchase a new server planRequire explicit user confirmation for every POST or PUT action, especially purchases, console commands, start/stop/restart, and configuration changes.
Mishandling the JWT or connection password could let someone control or access the user's game servers.
The JWT grants authenticated server-management authority, and the API can return connection passwords; the artifacts do not clearly bound token storage, output handling, or least-privilege scope.
All `/servers/*` endpoints require a Bearer JWT token ... GET `/servers/{id}/connection` | Get connection details (IP, port, password)Use least-privilege credentials where possible, avoid displaying passwords unless the user asks, confirm the target server before use, and store tokens only in a trusted secret manager.