ClawHub
Back to skill
v1.1.3

FootballBin Predictions

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:45 AM.

Analysis

This skill appears to only fetch football prediction data from a disclosed public API without credentials, installs, local file access, or persistence.

GuidanceThis looks safe for its stated purpose. Before installing, note that it sends your football query parameters to the disclosed FootballBin API and depends on local curl and jq binaries, but the provided artifacts do not show credential use, local data access, persistence, or hidden behavior.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
scripts/footballbin.sh
curl --fail --show-error --silent --max-time 20 -X POST "$MCP_ENDPOINT" ... -d "$payload"

The included script uses curl to call the prediction API, which is expected for this skill; arguments are constrained to league, numeric matchweek, and validated team strings.

User impactRunning the skill makes a network request to retrieve prediction data, but the script does not show unrelated shell actions or local system changes.
RecommendationUse the documented commands and verify the endpoint remains the disclosed FootballBin API if you review future versions.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityInfoConfidenceHighStatusNote
SKILL.md
External Endpoints

- Host: `api.footballbin.achaninc.net`
- Path: `/mcp`
- Method: `POST` (JSON-RPC)
- Data sent: league, optional matchweek, optional team filters

The skill communicates with a remote MCP-style JSON-RPC endpoint, but the endpoint and limited data sent are clearly disclosed and match the stated prediction purpose.

User impactYour league, matchweek, and team filter choices are sent to the FootballBin API to return predictions.
RecommendationInstall only if you are comfortable sending those query choices to the disclosed FootballBin service.