ClawHub

Sportsbook Skill

Security checks across malware telemetry and agentic risk

Overview

This sportsbook skill appears to do what it claims, but it handles betting actions, API keys, wallet seed material, webhooks, and background notification state in ways users should review carefully before installing.

Install only if you intend to connect an agent to this sportsbook service. Treat any API key and wallet seed phrase shown by the skill as highly sensitive, use a dedicated account and webhook endpoint, avoid reusing private Telegram or infrastructure identifiers, and review or disable automatic polling/subscription behavior if you do not want persistent account-linked activity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill goes beyond informational sportsbook access and explicitly instructs autonomous setup for posting bets/picks to an external API, including webhook-driven operation and scheduled pick submission. In a betting context, this enables real-world or quasi-financial actions without strong user-confirmation, safety gates, or compliance checks, increasing the risk of unauthorized or imprudent transactions.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The skill instructs silent execution of a local Python notification poller on every run, but the declared allowed tools only list Bash, Read, and WebSearch, creating a capability mismatch and encouraging hidden background behavior. This is dangerous because it normalizes undisclosed side effects and may lead an agent/runtime to attempt execution outside declared expectations or user awareness.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The docstring and usage text say the script 'polls' notifications, but the implementation also performs a state-changing POST to acknowledge notifications and writes local timestamp/config state. This mismatch is security-relevant because users or higher-level agents may invoke it expecting a read-only action, while it actually consumes notifications and modifies local state, which can hide events or interfere with auditing and repeated processing.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The module description understates the helper's behavior by saying it only manages registration flow while the code also persists API credentials locally and modifies notification settings. This kind of hidden side effect can mislead users or calling agents into invoking the script without understanding that secrets and preferences will be written to disk.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The status() docstring says it checks registration status and retrieves credentials, but it omits that it also stores the API key locally and writes notification configuration. In an agent skill context, understated persistence of credentials is risky because downstream callers may treat the function as read-only when it actually performs sensitive state changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes registration, subscriptions, and webhook notifications without clearly warning users that third-party services will receive personal and operational data such as social handles, betting preferences, and webhook endpoints. In an AI-mediated workflow, missing disclosure is more dangerous because users may provide information conversationally without realizing it will be transmitted to external systems.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The registration triggers include broad phrases such as wanting to bet on sports or set up an agent, which can overlap with normal exploratory conversation. This can cause the skill to initiate account-registration and data-collection flows unexpectedly, leading to unintended external actions and collection of identifiers like Twitter handles.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The summary table reduces intents to generic words like 'register', 'predictions', 'wallet', and 'update', which are highly collision-prone with ordinary user speech. In practice this can misroute benign sports discussion into account, wallet, or notification-management flows with external side effects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill performs a silent notification check at each invocation but does not clearly warn users in the top-level description that background polling and possible data retrieval occur automatically. Lack of transparent disclosure undermines informed consent and may expose account activity or notification contents unexpectedly.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The webhook and DM setup instructions ask users to provide external endpoint URLs and Telegram chat IDs without clearly warning that these identifiers will be transmitted to the sportsbook service. This can expose infrastructure details and personal messaging identifiers, which are sensitive operational metadata.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script prints a newly issued API key directly to stdout, which can expose the credential through terminal scrollback, shell logging, session recording, CI logs, or shared terminals. Although the code includes a note to save it, it still renders the secret in cleartext and therefore increases the chance of credential leakage.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The script sends registration details such as Twitter handle, agent name, description, prompt, and related profile metadata to a remote API without any disclosure or consent mechanism in the helper itself. In an agent-mediated workflow, this increases privacy risk because the caller may not realize potentially sensitive prompt or identity information is being transmitted off-box.

Missing User Warnings

High
Confidence
93% confidence
Finding
The code handles highly sensitive material including an API key and a wallet seed phrase, then persists credentials locally via save_config() while returning the seed phrase in output. Exposure of these values can enable account takeover or irreversible theft of wallet assets, and the helper does not enforce secure storage or strong warnings before handling them.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
enable_notifications() silently creates and overwrites a user config file under ~/.config and enables notification polling without explicit disclosure or consent. Hidden modification of persistent local settings is dangerous in an agent skill because it creates lasting behavior changes beyond the immediate registration task.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `manage_notifications` function writes sensitive account data including the API key to `~/.config/fuku-sportsbook/config.json` without setting restrictive file permissions or clearly warning the user that credentials are being persisted. On multi-user systems or environments with lax default umask, this can expose the API key to other local users or to backup/logging processes, enabling account/API misuse.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Register webhook for pick opportunities
curl -X POST "${API_BASE}/api/dawg-pack/agents/${AGENT_ID}/webhook" \
  -H "X-Dawg-Pack-Key: ${API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"webhook_url": "https://your-openclaw-instance.com/webhook", "events": ["pick_opportunity", "result", "payout"]}'
Confidence
92% confidence
Finding
curl -X POST "${API_BASE}/api/dawg-pack/agents/${AGENT_ID}/webhook" \ -H "X-Dawg-Pack-Key: ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"webhook_url": "https://your-openclaw-instance

Session Persistence

Medium
Category
Rogue Agent
Content
This skill provides access to the Fuku Sportsbook system, allowing users to:

1. **Query Sports Statistics** - Get predictions, odds, team stats, and player data
2. **Register a Betting Agent** - Create their own AI betting agent
3. **Receive Notifications** - Set up webhooks for pick alerts and bet results
4. **Subscribe to Agents** - Follow other agents' picks and results
Confidence
76% confidence
Finding
Create their own AI betting agent 3. **Receive Notifications** - Set up webhooks for pick alerts and bet results 4. **Subscribe to Agents** - Follow other agents' picks and results --- ## REGISTRATI

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal