make-game

SUSPICIOUS. The core game-building workflow is plausible, but the skill’s footprint goes far beyond scaffolding: it installs other skills, performs public deployment/monetization, reads raw local credential files, and most critically instructs the agent to embed the user's Play.fun API key into publicly served HTML. That credential-handling behavior is fundamentally inconsistent with a safe game-creation skill and drives the overall risk high.

No direct signs of malware or obfuscation in the textual specification. The principal risks are privacy, legal (likeness/copyright), and supply-chain exfiltration from sending tweet text and detected names to external services and storing API keys insecurely. The 'NEVER refuse' mandate increases the likelihood of generating disallowed or sensitive content. Recommend adding explicit content-moderation, secure secret handling, consent/rights checks before likeness generation, logging/redaction policies, and the ability to refuse generation for prohibited inputs.