Skillv0.1.0

ClawScan security

Football Data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 27, 2026, 11:58 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are internally consistent with a football-data lookup tool and do not request unrelated credentials or system access, but it relies on installing a third‑party Python package from PyPI/GitHub (no install spec included) so verify the package source before use.
Guidance: This skill appears to do what it says: structured access to football data with no extra credentials. Two practical cautions before installing or running it: (1) SKILL.md recommends installing a third‑party Python package (sports-skills) from PyPI or GitHub — verify the package on PyPI and inspect the GitHub repository (code, maintainer, recent commits, issues) before running pip, since installing packages runs code on your system. (2) Because the skill fetches data from external websites (ESPN, Understat, Transfermarkt), it will make network requests; if you need to be cautious, run it in a sandbox or isolated environment and avoid installing as root. If you want higher assurance, ask the author for the package repository URL or a homepage and inspect the package source and recent activity; that information would increase confidence.

Review Dimensions

Purpose & Capability: okThe name/description map to the documented commands and data coverage. The skill does not request unrelated credentials, binaries, or config paths; the included scripts and reference docs only describe football data commands and formats.
Instruction Scope: okSKILL.md confines the agent to specific football data commands, explains which leagues support which endpoints, and instructs deriving season IDs via get_current_season or the system date. It does not instruct reading unrelated files, secrets, or system configuration.
Install Mechanism: noteThere is no formal install spec in the metadata (instruction-only), but SKILL.md tells users/agents to run `pip install sports-skills` or install from GitHub. Installing packages from PyPI or from a GitHub repo can execute arbitrary code on the host; this increases risk compared with an instruction-only skill that performs no installs. Recommend inspecting the sports-skills package/repo before installing.
Credentials: okNo environment variables, credentials, or config paths are required. The skill documents public data sources (ESPN, Understat, Transfermarkt) which explains the lack of API keys. Network access to fetch data or to pip-install the client is expected and proportionate to the stated purpose.
Persistence & Privilege: okSkill does not request always:true and uses default model-invocation behavior. It does not modify other skills or request persistent system-wide changes in the provided files.