Back to skill
Skillv1.0.0
ClawScan security
UAPI 查询 Steam 用户 接口 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 6:29 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper for a single UAPI endpoint (GET /game/steam/summary) and its requirements and instructions align with that stated purpose.
- Guidance
- This skill is narrowly scoped to calling UAPI's GET /game/steam/summary and appears coherent. Before installing: (1) Confirm you trust the UAPI host (https://uapis.cn) because requests go there; (2) avoid pasting your Steam Web API Key into a public chat — prefer server-side storage and calls; (3) verify whether you also need a UAPI key/account for higher rate limits and store that key securely; (4) if you require strict auditing, monitor outbound calls to the UAPI base URL to ensure behavior matches expectations.
Review Dimensions
- Purpose & Capability
- okThe name/description, documentation files, and runtime instructions all focus on calling UAPI's GET /game/steam/summary to retrieve Steam user summaries. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md only tells the agent to read the included reference docs and to use the UAPI endpoint; it does not instruct reading arbitrary system files, accessing unrelated environment variables, or exfiltrating data to non-UAPI endpoints. It explicitly notes optional use of a Steam Web API Key as a query param.
- Install Mechanism
- okNo install spec and no code files that would be written to disk — instruction-only skill, which is the lowest-risk install model.
- Credentials
- okThe skill declares no required environment variables or credentials. It documents that a Steam Web API Key may be provided as a query parameter (appropriate and justified). There are no disproportionate or unrelated secret requests.
- Persistence & Privilege
- notealways:false (good). The openai.yaml allows implicit invocation (allow_implicit_invocation: true), which permits autonomous invocation — this is platform-default behavior and not by itself a problem, but users should be aware the agent may call the skill when it deems appropriate.