Leetify
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
Before installing, be comfortable providing a Leetify API key, installing the Python dependencies, and allowing the skill to store local player mappings and download/parse CS2 demo files. Use a virtual environment and delete saved mappings you no longer want. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your Leetify API authorization to request player profile and match data.
The skill reads a Leetify API key from the environment and sends it as a Bearer token to the Leetify API. This is disclosed and purpose-aligned for retrieving Leetify stats.
API_KEY = os.environ.get("LEETIFY_API_KEY") ... headers = {"Authorization": f"Bearer {API_KEY}"}Use a revocable Leetify API key, keep it out of shared logs, and remove it from the environment when not needed.
Demo analysis may download large files and consume disk, memory, and CPU while decompressing and parsing them.
The demo workflow downloads a replay file and invokes local decompression binaries. This is expected for demo parsing, but it is still local command execution on downloaded content.
urllib.request.urlretrieve(replay_url, local_path) ... subprocess.run(['bunzip2', '-f', local_path], check=True)
Run demo analysis only for intended matches, preferably in a normal user account or virtual environment, and monitor disk/memory usage.
Player identifiers you save can remain on disk and be reused by future skill commands.
The skill persists username, display-name, and Steam-ID mappings in a local JSON file so later commands can resolve players.
STORAGE_FILE = os.path.join(os.path.dirname(__file__), '../data/steam_ids.json') ... data[key] = {'steam_id': steam_id, 'name': name or username, 'username': username.lstrip('@')}Only save mappings you need, review them with the list command, and delete entries that should not persist.
Installing dependencies later may pull whatever versions are current at that time, which can change behavior or introduce third-party package risk.
The skill declares pip dependencies without pinned versions or a lockfile/install spec in the provided artifacts.
"pip": ["requests", "demoparser2"]
Install dependencies in a virtual environment and consider pinning known-good versions before using the skill.