Game Sentiment Monitor
Security checks across malware telemetry and agentic risk
Overview
The skill’s game-monitoring purpose is coherent, but it asks the agent to store and reuse third-party credentials and automate CAPTCHA/login-based scraping.
Install only if you are comfortable with the agent browsing many public sites, optionally installing Playwright MCP, and storing service credentials. Use throwaway or low-privilege accounts, restricted API keys, and review the saved .credentials/config files before running recurring scans.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may retain credentials that can access third-party services or consume API quota; if the workspace is exposed, those credentials could be reused.
The skill asks the user to give the agent API keys and an account password and says it will store them, but the artifacts do not define secure storage, retention, or least-privilege handling.
“YouTube API key → 告诉我 key,我帮你存好” and “NGA 账号 → 告诉我用户名和密码,我帮你存好”
Use only dedicated low-privilege accounts and restricted/revocable API keys, prefer a secure credential vault over a workspace file, and revoke/delete credentials when no longer needed.
This could trigger account security controls, violate platform automation expectations, or scrape under the user’s account identity without enough boundary controls.
The channel strategy directs the agent to automate a login flow and solve a CAPTCHA with AI as part of scraping NGA.
“点击登录 → 处理 6 位数字图形验证码(截图 + AI 识别)→ 确认弹窗”
Disable login/CAPTCHA-automated channels unless explicitly needed, use a disposable account, and require manual approval for any authenticated browsing step.
Installing an MCP browser automation server expands what the agent can do in the local environment.
The skill is listed as instruction-only with no install spec, but its setup flow can install an external Playwright MCP component.
“Playwright MCP server(微博/TapTap/贴吧/B站/小红书/NGA 依赖):`mcporter add playwright`”
Review and approve the exact MCP package/source before installation, and pin or document the trusted version if possible.
A stale or incorrect frozen-channel state could cause future reports to omit important sources.
The skill keeps persistent channel-status state that can change future monitoring behavior.
“If a channel fails healthcheck on 3+ consecutive runs, mark as ‘frozen’ in this file... Frozen channels are excluded from future runs until manually reviewed.”
Periodically review saved configuration and channel-status files, especially after network errors or failed health checks.