ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sports Game Light Tracker

Track live NFL, NBA, NHL, or MLB games and automatically change Hue light colors based on which team is leading. Use when user wants to sync smart lights with live sports scores for visual game tracking. Supports NFL, NBA, NHL, and MLB games with customizable team colors.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.4k · 4 current installs · 5 all-time installs
by@0xadamsu
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The described capability — fetching live scores and controlling Hue lights via Home Assistant — is coherent. However, the skill metadata declares no required credentials or config paths, while the SKILL.md explicitly instructs reading a local Home Assistant config file (.homeassistant-config.json) for API token and URL. That mismatch (no declared config/credential but instructions require them) is inconsistent.
!
Instruction Scope
The SKILL.md directs runtime actions beyond simple API calls: it tells the agent/user to read a local config file for a token and URL, run PowerShell scripts (game-tracker.ps1 and keeper.ps1), and start a hidden background process to auto-restart the tracker. These instructions involve reading potentially sensitive local files and creating persistent background processes. The doc also says it polls ESPN every 20 seconds but provides no details about endpoints or rate limiting.
Install Mechanism
This is an instruction-only skill with no install spec and no code files included. That lowers supply-chain risk because nothing is automatically downloaded or written by the registry, but it also means the user (or agent) would run locally-provided PowerShell scripts — the skill supplies usage examples but no packaged code to inspect.
!
Credentials
No environment variables or primary credential are declared in the registry metadata, yet the instructions require access to a Home Assistant API token stored in a local file (.homeassistant-config.json). Requesting access to a token/file without declaring it is disproportionate and increases risk of secret exposure or unnoticed credential use.
Persistence & Privilege
The workflow instructs starting a hidden PowerShell process (keeper.ps1) to auto-restart the tracker and suggests running it detached. Although always:false and autonomous invocation are not set to force inclusion, following the instructions would create a persistent background process on the host. This persistence could run unattended and is worth caution, but persistence itself is not a definitive indicator of malicious intent.
What to consider before installing
What to consider before installing/running this skill: - Inconsistency: The skill metadata declares no credentials or config paths, but SKILL.md requires reading .homeassistant-config.json for your Home Assistant token and URL. Ask the author to explicitly declare required config/credentials and explain storage expectations. - Secrets: Do not run these scripts until you inspect them. The instructions rely on a local file containing an API token — confirm where that file comes from, its permissions, and that it only contains a Home Assistant long-lived access token. Prefer providing a token via a secure environment variable or Home Assistant integrations/webhooks rather than an unlabeled file. - Review script contents: The skill references two PowerShell scripts (game-tracker.ps1 and keeper.ps1) but does not include them in the registry. Obtain and audit the scripts for network calls, logging, or any code that could exfiltrate tokens or other data before executing. - Persistence: The keeper is started hidden and set to restart the tracker periodically. If you run it, be prepared to stop/remove the background process manually and monitor it. Avoid running hidden processes from unreviewed scripts. - Least privilege: If you proceed, create a Home Assistant token limited to the smallest scope necessary (control of the specific light entities) and consider network controls (run tracker on an isolated machine or container). - Rate limits & endpoints: The doc says it polls ESPN every 20s — confirm this is acceptable under ESPN terms and won't cause unnecessary traffic. Consider adding exponential backoff and error handling. If the author cannot provide the actual script files for review and a clear explanation of the token handling, treat the skill as unsafe to run.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9722rs51vpzv0a18k24qzqv1x803xyq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Game Light Tracker

Automatically sync your Hue lights with live sports scores. When the lead changes, your lights change color to match the leading team.

Quick Start

Basic usage:

Track the [Team A] vs [Team B] game and change my [light name] to [color1] when [Team A] leads and [color2] when [Team B] leads

Examples:

  • "Track the Rams vs Seahawks game and change my backlight to blue when Rams lead, green when Seahawks lead" (NFL)
  • "Monitor the Lakers vs Celtics game, purple for Lakers, green for Celtics" (NBA)
  • "Watch the Rangers vs Devils game - blue for Rangers, red for Devils" (NHL)
  • "Track the Yankees vs Red Sox game, make my living room light blue for Yankees, red for Red Sox" (MLB)

How It Works

  1. Fetches live scores from ESPN API every 20 seconds
  2. Detects lead changes
  3. Changes specified Hue light color via Home Assistant
  4. Includes auto-restart keeper to prevent timeouts
  5. Optional: Adds third color for tied games

Setup Requirements

  • Home Assistant with Hue lights configured
  • Home Assistant API token (stored in .homeassistant-config.json)
  • Light entity ID from Home Assistant

Scripts

game-tracker.ps1

Main monitoring script that tracks a specific game and updates lights.

Usage:

.\game-tracker.ps1 -Sport "nfl" -Team1 "LAR" -Team2 "SEA" -Light "light.backlight" -Color1 "0,0,255" -Color2 "0,100,0" [-TiedColor "255,0,0"]

Parameters:

  • -Sport: "nfl", "nba", "nhl", or "mlb"
  • -Team1: First team abbreviation
  • -Team2: Second team abbreviation
  • -Light: Home Assistant light entity ID
  • -Color1: RGB color for Team1 (comma-separated, e.g., "0,0,255" for blue)
  • -Color2: RGB color for Team2 (comma-separated, e.g., "0,100,0" for dark green)
  • -TiedColor: (Optional) RGB color when game is tied

keeper.ps1

Auto-restart supervisor that prevents 30-minute timeout crashes.

Usage:

.\keeper.ps1 -TrackerScript "game-tracker.ps1" -RestartInterval 25

Parameters:

  • -TrackerScript: Path to the game-tracker.ps1 script
  • -RestartInterval: Minutes between restarts (default: 25)

Common Team Abbreviations

NFL:

  • Rams: LAR, Seahawks: SEA, Chiefs: KC, Bills: BUF, Patriots: NE
  • Cowboys: DAL, Eagles: PHI, 49ers: SF, Packers: GB, Bears: CHI
  • [Full list: https://www.espn.com/nfl/teams]

NBA:

  • Lakers: LAL, Celtics: BOS, Warriors: GS, Knicks: NY, Bulls: CHI
  • Heat: MIA, Nets: BKN, 76ers: PHI, Bucks: MIL, Mavericks: DAL
  • Nuggets: DEN, Suns: PHX, Clippers: LAC, Raptors: TOR
  • [Full list: https://www.espn.com/nba/teams]

NHL:

  • Rangers: NYR, Devils: NJ, Bruins: BOS, Maple Leafs: TOR, Canadiens: MTL
  • Penguins: PIT, Capitals: WSH, Flyers: PHI, Lightning: TB, Panthers: FLA
  • Red Wings: DET, Blackhawks: CHI, Avalanche: COL, Golden Knights: VGK
  • [Full list: https://www.espn.com/nhl/teams]

MLB:

  • Yankees: NYY, Red Sox: BOS, Dodgers: LAD, Giants: SF, Mets: NYM
  • Cubs: CHC, Cardinals: STL, Astros: HOU, Braves: ATL, Phillies: PHI
  • [Full list: https://www.espn.com/mlb/teams]

Common RGB Colors

  • Blue: 0,0,255
  • Red: 255,0,0
  • Green: 0,255,0
  • Dark Green: 0,100,0
  • Orange: 255,165,0
  • Purple: 128,0,128
  • Yellow: 255,255,0
  • White: 255,255,255

Workflow

When user requests game tracking:

  1. Identify sport and teams:

    • Extract sport (NFL/NBA/NHL/MLB)
    • Get team abbreviations from user or look up from team names

  2. Get light and color preferences:

    • Ask for light entity ID (or read from Home Assistant config)
    • Get desired RGB colors for each team
    • Optional: Ask if they want a tied-game color

  3. Load Home Assistant config:

    $config = Get-Content ".homeassistant-config.json" | ConvertFrom-Json
$token = $config.token
$url = $config.url

  4. Start game tracker:

    .\scripts\game-tracker.ps1 -Sport "nfl" -Team1 "LAR" -Team2 "SEA" -Light "light.backlight" -Color1 "0,0,255" -Color2 "0,100,0" -TiedColor "255,0,0"

  5. Start keeper for auto-restart:

    Start-Process powershell -ArgumentList "-File keeper.ps1 -TrackerScript 'game-tracker.ps1'" -WindowStyle Hidden

  6. Confirm to user:

    • Tell them monitoring is active
    • Show current score if available
    • Explain color scheme
    • Tell them how to stop it

Stopping the Tracker

To stop monitoring:

Get-Process powershell | Where-Object { $_.CommandLine -like "*game-tracker.ps1*" -or $_.CommandLine -like "*keeper.ps1*" } | Stop-Process -Force

Troubleshooting

Light not changing:

  • Verify Home Assistant token is valid
  • Check light entity ID is correct
  • Ensure Home Assistant is accessible at the configured URL

Script crashes:

  • Keeper should auto-restart it
  • Check ESPN API is accessible
  • Verify team abbreviations are correct

Wrong team colors:

  • Double-check RGB values (must be 0-255, comma-separated)
  • Ensure colors are assigned to correct teams

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…