GOG Stale Game Cleanup
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted library path or reminders-list value could cause the script to execute unintended commands locally.
Shell-expanded environment variables are embedded directly inside Python source passed to python3 -c. If a value contains quotes or newlines, it can alter the generated Python code and potentially run unintended local code under the user's account.
with open('$GOG_LIBRARY') as f:
...
subprocess.run(['remindctl', 'add', '--title', title, '--list', '$REMINDERS_LIST'], check=True)Do not use untrusted env-var values. The maintainer should pass values via sys.argv or os.environ, validate them, and avoid interpolating shell variables into Python source.
The skill can send email from the configured account and include game names, last-played dates, and install paths in that message.
The script uses the configured Himalaya email account to send the report. This is purpose-aligned and the recipient is user-supplied, but it still exercises the user's email-sending authority.
echo "$EMAIL_BODY" | himalaya message send --account "$EMAIL_ACCOUNT" --to "$EMAIL_TO" --subject "GOG Stale Game Report — ${COUNT} game(s) to review"Use a recipient and email account you trust, and run with DRY_RUN=true first if you want to preview the report.
Running the skill can add reminders to the selected Apple Reminders list.
The script creates an Apple Reminder for each stale game. This is disclosed and aligned with the stated workflow, but it mutates a local reminders list and may create many items.
subprocess.run(['remindctl', 'add', '--title', title, '--list', '$REMINDERS_LIST'], check=True)
Confirm the list name and consider DRY_RUN=true before the first real run, especially for large libraries.
The skill may fail or use whatever local himalaya/remindctl/python3 binaries are available on PATH.
The registry metadata does not declare the external CLIs or env vars that SKILL.md/script require. This is not hidden behavior, but it means users must verify dependencies and configuration themselves.
Required binaries (all must exist): none ... Required env vars: none ... No install spec — this is an instruction-only skill.
Install and verify trusted versions of himalaya, remindctl, and python3 before running; maintainers should declare these requirements in metadata.
If scheduled, it can repeatedly send emails and add reminders without a fresh manual run each time.
The documentation suggests optional recurring scheduling. It is user-directed and not automatically installed, but scheduled use would keep performing the workflow over time.
# Add to crontab or use OpenClaw cron 0 10 * * 1 GOG_LIBRARY=... EMAIL_TO=... bash /path/to/scripts/stale_games.sh
Only add the cron/OpenClaw cron entry if you want recurring behavior, and include logging or DRY_RUN during testing.