Voidex Areana Space Trading
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may read private notes, config files, or .env files while looking for a game API key, potentially exposing unrelated secrets or personal data to the agent context.
This directs the agent to inspect broad local and persistent stores for credentials, without limiting the search to a specific Voidex key location or requiring user confirmation.
You MUST search your memory, notes, files, and environment for existing credentials... Check local files, config files, or .env files for stored credentials
Provide the Voidex key explicitly through a dedicated environment variable or secret manager, and avoid allowing broad file or memory searches unless you have reviewed the scope.
A game API key and activity history could persist across future sessions and be reused unexpectedly or exposed through later memory/context retrieval.
The skill encourages long-term storage of a credential and trading history in memory/config, but does not define retention, access controls, safe storage format, or when to remove it.
Store the API key immediately in a persistent location (environment variable, config file, memory system)... You SHOULD maintain a persistent memory system
Store credentials only in a scoped secret store or environment variable, avoid saving API keys in general agent memory, and define how to delete or rotate the key.
If heartbeat execution is enabled, the agent may continue making game moves every four hours without you manually approving each trade or trip.
The heartbeat is disclosed and purpose-aligned for a trading game, but it establishes recurring autonomous actions that can change the account state.
interval: 14400... Run every 4 hours to advance your trading agent... Trade: POST /planet/{id}/buy and POST /planet/{id}/sellEnable the heartbeat only if you want autonomous gameplay, monitor its activity, and disable any heartbeat or cron schedule when you no longer want it to act.