Back to skill
Skillv1.0.1
ClawScan security
Game Deals · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 11:53 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are coherent with its stated purpose (fetching Steam/Epic free-game info); there are small documentation/code inconsistencies but nothing that appears to exfiltrate secrets or require excessive privileges.
- Guidance
- This skill appears to do what it says: call public Steam/Epic endpoints and format results. Before installing: 1) Verify the package origin (source is listed as unknown in metadata). 2) Inspect the scripts locally (they are short and readable) and run them in a sandbox or isolated environment if you’re cautious. 3) Note the minor inconsistencies (SKILL.md mentions Steam API key / HTML scraping and a cache file that aren't present in the shipped scripts) — expect possible small bugs (e.g., promo discount logic comment/code mismatch). 4) If you enable the suggested cron job, be mindful of rate limits to avoid IP blocking. 5) Ensure only the minimal network access is allowed if you need stronger containment.
Review Dimensions
- Purpose & Capability
- noteName/description (fetch Steam and Epic free games) matches the included Python scripts that call official Epic/Steam endpoints. Minor mismatches: SKILL.md shows a curl example suggesting a Steam API key or HTML scraping, but the included steam_free.py uses a search API without an API key. SKILL.md also mentions a cache/config file path that is not present in the package. These are documentation inconsistencies but not signs of hidden capabilities.
- Instruction Scope
- noteRuntime instructions tell the agent to run the provided scripts and optionally add a cron job; the scripts only make outbound HTTP requests to Epic/Steam endpoints and format output. The instructions do not ask the agent to read unrelated local files or environment variables. A minor scope issue: SKILL.md shows command-line jq/HTML-parsing examples that differ from the packaged Python implementations.
- Install Mechanism
- okNo install spec; code is distributed as plain Python scripts. Dependencies are minimal (requests) and documented. No downloaded archives or obscure URLs are used by the package itself.
- Credentials
- okThe skill requires no credentials, no config paths, and requests no secrets. Network access to public Steam/Epic endpoints is expected for its purpose and is proportional.
- Persistence & Privilege
- okThe skill is user-invocable, not always-enabled, and does not request elevated agent privileges or modify other skills. The cron scheduling is optional and under user control.