scryfall-card

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill appears to be a straightforward Magic: The Gathering card lookup tool that sends card search queries to the public Scryfall API.

This looks safe for its intended purpose. Before installing, understand that MTG search terms are sent to Scryfall, but the artifacts do not show credential access, local file reading, persistence, or unrelated actions.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

No VirusTotal findings for this skill version.

Malicious: 0
Suspicious: 0
Harmless: 0
Undetected: 64

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Info

What this means

Card names and search queries may be sent to Scryfall when the skill is used.

Why it was flagged

The helper script sends user search terms to the Scryfall API. This is expected for the skill's purpose and uses a fixed public API host.

Skill content

BASE_URL = "https://api.scryfall.com" ... url = f"{BASE_URL}/cards/search?{params}" ... return make_request(url)

Recommendation

Use normally for MTG card lookups; avoid entering unrelated private information into card search queries.