ClawHub
Back to skill
v1.0.0

Sports Game Light Tracker

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:54 AM.

Analysis

The skill matches its sports-light-tracking purpose, but it asks the agent to use a Home Assistant token, run unprovided PowerShell scripts, and start a hidden auto-restarting background process.

GuidanceReview the PowerShell scripts before using this skill, because they are not included in the provided package. If you proceed, use a limited Home Assistant token, verify the exact light entity, and avoid starting the hidden keeper unless you know how and when it will stop.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
.\scripts\game-tracker.ps1 -Sport "nfl" ...
Start-Process powershell -ArgumentList "-File keeper.ps1 -TrackerScript 'game-tracker.ps1'" -WindowStyle Hidden

The supplied artifact set contains no code files or install spec, but the runtime instructions depend on PowerShell helper scripts. Those helpers are therefore not reviewable from the provided artifacts, and running these paths could execute whatever local files match the names.

User impactA user or agent could run unreviewed local PowerShell code while also using a Home Assistant token and controlling smart lights.
RecommendationOnly use this if the exact scripts are supplied from a trusted source and reviewed; prefer packaging the scripts with the skill, verifying paths, and asking before execution.
Rogue Agents
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Includes auto-restart keeper to prevent timeouts
...
Start-Process powershell -ArgumentList "-File keeper.ps1 -TrackerScript 'game-tracker.ps1'" -WindowStyle Hidden

The skill instructs creation of a hidden auto-restarting process. Although disclosed, its lifetime is not clearly bounded to the game session, and hidden execution makes it harder for users to notice.

User impactThe tracker may keep running or restarting after the user expects it to stop, continuing to use network access and control lights.
RecommendationRequire explicit confirmation before starting the keeper, run it visibly or with clear status, auto-stop at game end, and provide a precise non-force stop mechanism.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Home Assistant API token (stored in `.homeassistant-config.json`)
...
$token = $config.token
$url = $config.url

The skill reads a local Home Assistant token to control Hue lights. This is expected for the stated integration, but it is sensitive smart-home account/device authority.

User impactThe token may allow broader Home Assistant actions than just changing one light, depending on how the user configured Home Assistant.
RecommendationUse the least-privileged Home Assistant token available, protect the config file, and confirm the exact light entity before allowing changes.