Back to skill
Skillv1.0.0
ClawScan security
Football Data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 11, 2026, 7:20 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are internally consistent with a football data wrapper that relies on a third‑party Python package; main risk is installing an external package via pip/GitHub without provenance checks.
- Guidance
- This skill appears coherent for fetching public football data, but it directs you to install a third‑party Python package (sports-skills) from PyPI or GitHub. Before installing: (1) verify the package/repository and maintainer (machina-sports) on PyPI/GitHub; (2) inspect the package code for unexpected network calls or credential usage; (3) install only in an isolated virtual environment or sandbox; (4) prefer using the skill read-only (ask the agent to call documented commands) rather than allowing it to run arbitrary installation steps unchecked. Also note data sources (ESPN, Understat, FPL, Transfermarkt) may have licensing or rate‑limit considerations — confirm acceptable use if you rely on this for production.
Review Dimensions
- Purpose & Capability
- okName/description match the declared commands and data sources (ESPN, Understat, FPL, Transfermarkt). The skill does not request unrelated credentials or system access and its documented coverage (top‑5 / PL exceptions) aligns with the commands described.
- Instruction Scope
- noteRuntime instructions are scoped to calling the sports-skills CLI/SDK and validating IDs; they do not ask the agent to read unrelated files, secrets, or system config. The SKILL.md tells agents to derive the current year from the system prompt date and to install the sports-skills package if missing — this is reasonable but grants the agent the ability to run pip (see install note).
- Install Mechanism
- noteNo formal install spec in the registry; SKILL.md instructs `pip install sports-skills` or `pip install git+https://github.com/machina-sports/sports-skills.git`. Installing from PyPI or a GitHub URL is common but executes arbitrary install scripts and will pull code from an external source, so verify the package/repo before installing. The GitHub install target is a well-known host (not a shortener or unknown IP).
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The documented data sources also state 'no API keys' — consistent with using public endpoints or scraping.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated privileges or changes to other skills/configuration. Autonomous invocation is allowed (platform default) but not combined with other concerning permissions.