Sports Game Light Tracker
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s sports-light purpose is coherent, but it tells the agent to run missing PowerShell scripts, use a Home Assistant token, and start a hidden auto-restarting background process.
Treat this as needing review before installation. The idea is legitimate, but do not let it run hidden PowerShell scripts or use your Home Assistant token unless you have the actual scripts, trust their source, and understand how to stop the background process.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may try to run local scripts that are not part of the reviewed package, potentially executing unexpected code if similarly named files exist.
The skill describes required helper scripts, but the supplied manifest contains only SKILL.md and no install spec or code files, so the actual script behavior and provenance cannot be reviewed.
### `game-tracker.ps1` Main monitoring script ... ### `keeper.ps1` Auto-restart supervisor ...
Only use this after obtaining and reviewing the referenced scripts from a trusted source, or require the skill package to include pinned, auditable helper files.
Running unreviewed relative-path scripts could execute the wrong local file or code the user did not inspect.
The workflow tells the agent to execute PowerShell scripts by relative path, including a hidden process, while those scripts are not included in the reviewed artifacts.
.\scripts\game-tracker.ps1 -Sport "nfl" ... Start-Process powershell -ArgumentList "-File keeper.ps1 ..." -WindowStyle Hidden
Use absolute paths to reviewed scripts, avoid hidden execution by default, and ask the user for explicit confirmation before launching any PowerShell process.
A Home Assistant token can control smart-home devices; if mishandled by unreviewed scripts, it could affect more than the selected light.
The skill instructs reading a local Home Assistant API token, but the registry metadata declares no primary credential or required config paths, and the token-handling script is not present for review.
Home Assistant API token (stored in `.homeassistant-config.json`) ... $token = $config.token $url = $config.url
Use a least-privilege Home Assistant token if possible, store it securely, and verify exactly which API endpoints the script calls before running it.
The tracker could keep running in the background and continue changing lights after the user expects it to stop.
The skill recommends a hidden keeper process that automatically restarts the tracker, creating long-running background behavior that may continue until manually stopped.
Auto-restart supervisor that prevents 30-minute timeout crashes ... Start-Process powershell ... -WindowStyle Hidden
Require an explicit duration or game-end stop condition, show the process to the user rather than hiding it, and provide a safer scoped stop command.