Skillv1.1.1

ClawScan security

Sportsbook Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 14, 2026, 3:19 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and file I/O are coherent with a Sportsbook/registration/notification tool — nothing in the bundle appears to be trying to do unrelated or hidden work, but it will persist API keys and (potentially) wallet info to local config files and will contact a remote API host that you should verify/trust.
Guidance: This skill appears to do what it says, but review and accept these behaviors before installing/running it: - Network communication: the skill's scripts call a remote API (default api_base: https://cbb-predictions-api-nzpk.onrender.com). Verify you trust that host/service before using the skill; data you provide (Twitter handle, agent name, your custom betting 'prompt') will be sent to that service. - Local persistence of secrets: when registration completes the service may return an API key and (in some cases) a wallet seed phrase. The scripts will save API keys and agent IDs to config.yaml in the skill folder and to ~/.config/fuku-sportsbook/config.json; the code may also surface a one-time seed phrase to you. Treat those values as sensitive: back up API keys securely, and never paste seed phrases into chat or store them in plaintext beyond the recommended one-time save. - Automatic notifications / polling: the helper can enable polling and write a user config to auto-check notifications. If you don't want background polling or saved credentials, do not enable notification features and remove the generated config files if needed. - Browser/opening behavior: the interactive register_agent.py may open a Twitter intent link when run interactively; the helper script used by the agent (register_helper.py) does not open the browser. If you run scripts manually, be prepared for optional interactive prompts. - Least-privilege recommendation: if you decide to use this skill, consider creating and using a dedicated API key/account (not an account tied to high-value funds) and do not use any real seed phrase in chat. Inspect the config files after registration and delete them if you want to revoke local persistence. If you want a firmer assessment, provide the remaining truncated files or confirm the api_base host (ownership/README link) so I can check for mismatches or suspicious endpoints.

Review Dimensions

Purpose & Capability: okName/description (access sportsbook data, register agents, receive picks) align with the included scripts and runtime instructions. All network calls, config keys, and CLI helpers point at the Dawg Pack / Fuku Sportsbook API and are consistent with the described features (registration, predictions, notifications, subscribing).
Instruction Scope: noteSKILL.md instructs the agent to collect Twitter handle, agent name, betting perspective, and then run local helper scripts (register_helper.py) to call remote APIs and verify via a tweet. That scope is within purpose, but the instructions and helper scripts will write configuration into the skill directory and into a user config directory (~/.config/fuku-sportsbook), and may store API keys and return/display wallet seed phrases. The SKILL.md also directs the agent to perform behind-the-scenes script calls rather than exposing CLI commands to users — the scripts exist and are the ones the agent will invoke.
Install Mechanism: noteNo install spec (instruction-only) — lowest installer risk. However the skill bundle contains executable Python helper scripts that will run locally and make outbound network requests. There is no remote download/install step in the bundle itself, but executing these scripts will contact the configured api_base (default: https://cbb-predictions-api-nzpk.onrender.com).
Credentials: noteThe skill does not require any environment variables to be provided, so there are no unexpected secret requests. The config loader does allow optional env overrides (DAWG_PACK_API_KEY, DAWG_PACK_AGENT_ID, DAWG_PACK_API_BASE), which are reasonable for this use case. Important: the code will persist API keys (and the remote service can return wallet seed phrases) into config.yaml and into ~/.config/fuku-sportsbook/config.json — storing such secrets on disk is expected for this functionality but is a sensitive action you should be aware of.
Persistence & Privilege: notealways:false (normal). The scripts create and write config files in the skill directory and in the user's home config directory (~/.config/fuku-sportsbook), and register_helper.enable_notifications auto-enables notification polling by writing config.json. This is consistent with the feature (notifications) but means the skill will persist state and credentials on disk and will run periodic network polling if you use that functionality.