ClawHub
Back to skill
v1.1.1

Cricket Live Score

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:34 AM.

Analysis

The skill is coherent for sending cricket scores to Telegram, but users should notice that it uses a Telegram bot token, runs a background updater, and depends on external network services.

GuidanceThis skill appears purpose-aligned, not malicious. Before installing, make sure you are comfortable giving it a Telegram bot token and chat ID, understand that it will run in the background during a match, and use only genuine Cricbuzz live-score URLs.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
The script runs in the background, sends updates at your chosen interval, and auto-stops when the match ends.

The skill intentionally starts a long-running updater. This is disclosed and aligned with live score alerts, but users should understand it will continue posting until stopped or completed.

User impactIf started, it may keep sending recurring Telegram updates for the match.
RecommendationChoose a reasonable interval and confirm you know how to stop the background process before starting updates.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
SKILL.md
dependencies: gTTS

Voice memos depend on the external gTTS package, while the registry shows no install spec. This is a purpose-aligned optional dependency, but users may need to install and trust it separately.

User impactVoice memo support may not work unless gTTS is installed, and installing it introduces a normal third-party package dependency.
RecommendationInstall gTTS from a trusted package source if you need voice memos, or run without the --voice option.
Tool Misuse and Exploitation
SeverityLowConfidenceMediumStatusNote
scripts/cricket-live.py
if not parsed.hostname or not parsed.hostname.endswith('cricbuzz.com'):

The script validates user-provided score URLs by suffix matching. This supports the intended Cricbuzz-only workflow, but a stricter exact-domain or subdomain check would reduce the chance of accepting a lookalike host.

User impactIf a wrong or lookalike URL is used, the script could fetch and relay content that is not actually from Cricbuzz.
RecommendationUse only real cricbuzz.com live score URLs, and prefer tightening validation to allow exactly cricbuzz.com or names ending in .cricbuzz.com.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/cricket-live.py
config_path = os.environ.get("OPENCLAW_CONFIG", os.path.expanduser("~/.openclaw/openclaw.json")) ... return config["channels"]["telegram"]["botToken"]

The script can read a Telegram bot token from the local OpenClaw config if a token is not supplied directly. This is purpose-aligned for sending Telegram updates, but it is credential use.

User impactThe skill can send messages through the Telegram bot whose token you provide or have configured.
RecommendationUse a dedicated Telegram bot token for this skill, send only to the intended chat ID, and revoke the token if you stop using the skill.