Brown Dust 2
ReviewAudited by ClawScan on May 18, 2026.
Overview
The skill appears to do the advertised game automation, but it asks the agent to extract and persist your Brown Dust 2 web-shop access token, so it deserves careful review before use.
Review before installing. This skill is not shown exfiltrating data or doing unrelated actions, but it does require your Brown Dust 2 web-shop session token and stores it locally. Use it only if you trust the skill with that account access, delete the saved token when finished or if the device is shared, and verify the external endpoints and script output before relying on it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may gain reusable access to the user's Brown Dust 2 web-shop session for actions allowed by that token.
This directs the agent to extract a bearer-style session token from the logged-in browser and save it. The registry metadata declares no primary credential or required environment variables, so this sensitive credential use is under-declared.
Agent 应通过浏览器工具自动提取 Token... JSON.parse(localStorage.getItem("session-storage")).state.session.accessToken ... 保存 tokenOnly use this with an account/profile you trust the skill to access. Prefer a short-lived token if possible, delete the saved .token file when done, and review any account actions before running.
Running the skill can claim daily, weekly, event, or gift-code rewards on the connected game account.
The script makes direct POST requests to perform sign-in actions on the user's game account. This matches the skill's purpose, but users should understand that invoking the skill performs real account mutations.
do_daily_attend(token) ... _api("POST", "/api/user/attend", token, {"type": _ATTEND_DAILY})Invoke it only when you intend to perform those actions, and review the script output to confirm what happened.
The user's game nickname and redemption attempts are sent to the configured coupon endpoint, and code lists are obtained from a third-party site.
The redemption flow fetches codes from BD2Pulse and submits the user's nickname plus code to an external coupon API. This is purpose-aligned, but it is still an external data flow users should notice.
_BD2PULSE_URL = "https://thebd2pulse.com/zh-CN/" ... _REDEEM_API = "https://loj2urwaua.execute-api.ap-northeast-1.amazonaws.com/prod/coupon"
Confirm you are comfortable with these external endpoints and avoid using a nickname or account information you do not want sent to them.