Roblox
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent and purpose-aligned, but it can change monetized Roblox items using a write-capable API key, so users should restrict the key and review write actions.
Install this only if you want OpenClaw to manage Roblox monetization resources. Use a dedicated, least-privilege ROBLOX_API_KEY restricted to the intended experiences, review any create/update/price/sale-status actions before execution, and consider using a pinned or locally installed Bun runtime instead of relying on npx resolution.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could change monetized Roblox assets or pricing.
The skill intentionally exposes write operations that can create or modify Roblox game passes and developer products, including prices and sale status.
Manage game passes (list, get, create, update) ... Manage developer products (list, get, create, update)
Use these commands only with explicit user intent, especially for create/update actions that change price or sale status.
Anyone or any agent process with this key can use the granted Roblox Open Cloud permissions.
The skill requires a Roblox API key with write permissions. This is expected for the stated purpose, but it is still privileged account access.
Set the `ROBLOX_API_KEY` environment variable ... `game-pass:read` and `game-pass:write` ... `developer-product:read` and `developer-product:write`
Create a dedicated API key with only the required scopes, restrict it to specific experiences where possible, and rotate it if exposed.
Runtime behavior can depend on the npm-resolved Bun package rather than only the reviewed skill files.
The documented runtime path uses `npx -y bun`, which may install or run an unpinned external package if Bun is not already available.
npx -y bun ${SKILL_DIR}/scripts/cli.ts [command] [subcommand] [args] [options]Prefer a trusted, locally installed Bun runtime or pin the runtime package/version in the skill metadata or install instructions.