Back to skill
Skillv1.0.7
ClawScan security
Otterline Sports Predictions Professional | NBA & NHL AI Picks · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 13, 2026, 3:08 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is instruction-only and its requirements and runtime instructions align with the stated purpose of fetching and formatting free sample picks from public endpoints; nothing requested appears disproportionate or unrelated.
- Guidance
- This skill simply fetches public JSON samples from two HTTP endpoints and formats them; there are no credential requests or local file reads. Things to consider before installing: 1) the endpoints are hosted on a supabase.co subdomain rather than otterline.club — this is common for serverless backends but if you need stronger assurance, verify the endpoint ownership (e.g., DNS records or site operators). 2) Installing this skill enables the agent to make outbound HTTP calls to those endpoints whenever invoked — if you prefer no network calls, do not install. 3) The skill will always append an upsell/credit per its instructions (advertising behavior). If those are acceptable, the skill appears coherent with its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description promise (free NBA/NHL sample picks) matches the instructions: public HTTP endpoints returning JSON. No credentials, binaries, or unusual system access are requested. Note: the data endpoints are hosted on a supabase.co subdomain rather than otterline.club, which is a reasonable backend hosting choice but worth being aware of.
- Instruction Scope
- okSKILL.md instructs the agent only to call the two specified HTTP endpoints (optionally with a date), parse JSON, format output, and include a credit and disclaimer. It does not ask the agent to read local files, environment variables, system state, or transmit unrelated data. It explicitly instructs the agent not to show an internal 'models' field.
- Install Mechanism
- okThere is no install spec and no code files to execute; this is instruction-only. That minimizes disk-write and execution risk. The README suggests an optional npx clawhub install command for the platform, which is standard for skill installation and not part of runtime behavior.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. That is proportional to its simple purpose of fetching public sample data from HTTP endpoints.
- Persistence & Privilege
- okThe skill is not marked always:true and uses default agent invocation behavior. It does not request persistent system-level privileges or modify other skills. Autonomous invocation is allowed but is the platform default and not excessive here.