ClawHub

Odds for sports events

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward read-only Odds-API.io helper, but users should be careful not to expose their API key in dry-run output or by changing the API destination.

Install only if you are comfortable giving the skill an Odds-API.io key for read-only odds lookups. Prefer ODDS_API_KEY over pasting keys into chat, avoid --dry-run with a real key unless you can keep the output private, and do not use --base-url except with a trusted Odds-API.io-compatible endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
In dry-run mode, the tool prints the fully constructed request URL, and authenticated endpoints include the API key as the apiKey query parameter. This can leak credentials into terminal history, logs, screenshots, CI output, or higher-level agent traces, exposing the key beyond the skill's intended odds-query purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The global --base-url option lets the caller redirect requests to any host, including attacker-controlled endpoints. Because authenticated commands place the API key in the query string, this can exfiltrate credentials and send user queries to destinations unrelated to the skill's declared Odds-API.io-only purpose.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This dry-run path exposes the complete authenticated URL without masking the apiKey parameter. Even though no network request is made, the secret may still be captured by logs, shell history, transcript storage, or observability systems.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The search command's dry-run mode prints a full URL containing both the user query and the API key. This unnecessarily exposes credentials and potentially sensitive user input to local and centralized logging surfaces.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The odds command prints the full request URL in dry-run mode, including the API key in the query string. This creates a straightforward secret disclosure path through normal debugging use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal