Back to skill
Skillv1.0.0
ClawScan security
Betting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 11, 2026, 7:19 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only betting analysis module that only does local computations and does not request credentials, binaries, or external installs — its declared purpose matches what it asks for.
- Guidance
- This skill appears coherent and low-risk: it only performs math on odds and requests no credentials or installs. Before installing, confirm you trust the source (owner ID is present but no homepage), be aware the skill will not fetch live odds (you must supply them or use a separate fetcher skill), and note the minor version mismatch between SKILL.md and registry metadata. If you prefer tighter control, disable autonomous invocation for the skill so it runs only when you explicitly call it. Finally, remember this provides analysis only — it does not guarantee profitability and carries normal gambling risk.
Review Dimensions
- Purpose & Capability
- noteName/description claim 'pure computation, no API calls' matches the rest of the package: no required env vars, no install steps, and only analysis commands. Minor inconsistency: SKILL.md metadata lists version 0.2.0 while registry metadata shows version 1.0.0 — likely a packaging/versioning oversight but not a security concern.
- Instruction Scope
- okSKILL.md limits actions to local computations (odds conversion, de‑vigging, edge, Kelly, arbitrage, parlay, line movement). It explicitly states it does not fetch live odds and instructs the agent to use other skills for data; it does not reference reading unrelated files, system paths, or environment variables.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. No downloads or third‑party packages are requested, which minimizes persistence and execution risk.
- Credentials
- okNo environment variables, credentials, or config paths are required. The declared needs are proportional to a pure computation/analysis skill.
- Persistence & Privilege
- noteDefaults allow autonomous invocation (disable-model-invocation: false) and the skill is not set to always: true. Autonomous invocation is platform-default and acceptable here because the skill requests no credentials or install actions; if you want to avoid any autonomous runs, you can disable model invocation or restrict invocation policy.