Skills
skills/openclaw/skills/game-light-tracker/Gen Agent Trust Hub

game-light-tracker

Fail

Audited by Gen Agent Trust Hub on Feb 13, 2026

Risk Level: CRITICALCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis

================================================================================

🔴 VERDICT: CRITICAL

This skill poses a CRITICAL security risk due to its reliance on unverified scripts that handle sensitive data and are designed for persistent execution. The primary concern is that the content of game-tracker.ps1 and keeper.ps1 is not provided for analysis, making their behavior completely unknown and potentially malicious. These scripts are central to the skill's operation.

Total Findings: 3

🔴 CRITICAL Findings: • Unverifiable Core Scripts

  • Line 48, 59, 90, 95: The skill's entire functionality depends on game-tracker.ps1 and keeper.ps1. These scripts are referenced by name and usage examples, but their actual code is not provided for security analysis. This means the skill could execute arbitrary, unvetted code on the user's system, leading to full system compromise. The GitHub repository clawdbot/skills referenced in _meta.json is not a trusted source, further exacerbating this risk.

🔴 HIGH Findings: • Sensitive Data Access and Potential Exfiltration

  • Line 30, 84: The skill explicitly reads the .homeassistant-config.json file to extract a Home Assistant API token. This token is then used by the unverified game-tracker.ps1 script, which also makes network requests to the ESPN API and Home Assistant. Without the script's code, there is no way to verify that the API token or other sensitive data is not exfiltrated to an attacker-controlled server. • Persistence Mechanism
  • Line 59, 95: The keeper.ps1 script is designed to act as an "auto-restart supervisor" and is launched as a hidden background process (Start-Process powershell -ArgumentList "-File keeper.ps1 ..." -WindowStyle Hidden). This establishes a persistent execution mechanism, allowing the unverified scripts to run indefinitely on the user's system without direct user interaction after initial launch. This could be used to maintain access or perform long-running malicious activities.

================================================================================

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 13, 2026, 02:29 AM