ClawHub

Football Data Hub

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward football data lookup tool with disclosed external API use, though it has dependency hygiene and H2H accuracy issues users should understand.

Install only if you are comfortable with the skill querying external football APIs and, if configured, storing API keys in a local config.yaml. For safer use, pin reviewed dependency versions and do not rely on the H2H preview for decisions until its import and win-counting bugs are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The H2H aggregation is logically incorrect: it counts wins by home side versus away side across historical matches, not wins by the specified team1 and team2. Because the skill presents the output as an objective pre-match report, this can mislead users with materially wrong comparative data and undermine trust in the analysis. In this skill context, the issue is somewhat more significant because the feature is explicitly a match preview/H2H analysis tool, so correctness of summary statistics is central to the skill’s purpose.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pyyaml>=6.0
Confidence
96% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pyyaml>=6.0
Confidence
98% confidence
Finding
pyyaml>=6.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
87% confidence
Finding
requests

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
95% confidence
Finding
pyyaml

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal