Back to skill
Skillv1.1.0
ClawScan security
Supercraft Game Servers · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 10, 2026, 11:03 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's API instructions match its stated purpose (managing game servers) but they ask the agent to create persistent polling (cron) and to store JWT tokens without declaring how or where—this mismatch and the implicit persistence are worth reviewing before installing.
- Guidance
- This skill appears to do what it says (manage Supercraft game servers), but pay attention before you install: 1) The instructions tell the agent to set up recurring polling (cron) and to store a JWT — ask where the token will be saved and require explicit consent before any cron or filesystem changes. 2) Confirm the API domain (claws.supercraft.host vs supercraft.host) and verify the vendor/site are legitimate. 3) Prefer short-lived tokens or explicit user-provided JWTs rather than letting the agent persist credentials. 4) If you don't want scheduled tasks or credential storage on your machine, decline installation or ask the skill author to offer a flow that requires the user to trigger the final claim step manually. 5) If possible, test in an isolated environment first and request the author to clarify how token storage and cron creation are performed.
Review Dimensions
- Purpose & Capability
- okName, description and the SKILL.md endpoints align: this is a REST API-based game server management skill. Required credentials (a Bearer JWT obtained by a magic-link flow) are consistent with the service. No unrelated binaries, env vars, or config paths are requested.
- Instruction Scope
- noteInstructions are generally scoped to calling the Supercraft REST API (listing servers, start/stop, config, logs). However, the runtime directions instruct the agent to (a) send the magic/login or checkout link to the user before invoking any tools, (b) set up a cron job to poll /auth/claim every 30s rather than using while/sleep loops, and (c) "save the JWT token securely." Those steps go beyond simple single-request interactions because they require scheduling/persistence and token storage; the SKILL.md does not specify where/how tokens should be stored or what exact mechanism should create the cron, which could cause uncertain behavior or unapproved changes to the host environment.
- Install Mechanism
- okThis is an instruction-only skill with no install specification and no code files. That minimizes supply-chain risk — nothing is downloaded or written by the skill bundle itself.
- Credentials
- okNo environment variables, config paths, or unrelated credentials are requested by the skill metadata. The use of a JWT to authenticate to the API is proportional to the stated purpose. Note: the API can return connection details (IP/port/password) which is expected for game servers and should be handled with care.
- Persistence & Privilege
- concernAlthough 'always' is false and the skill does not declare persistent privileges, the SKILL.md explicitly instructs the agent to create cron jobs to poll authentication endpoints and to 'save the JWT token securely.' That implies persistent scheduled tasks and credential storage on the host or agent state. The skill does not declare or justify this persistence or where/with what permissions such state should be stored, creating a mismatch and raising the risk of unintended persistent changes or residual credentials.