Odds for sports events
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Odds-API.io lookup helper, with the main caveats being API key handling and avoiding accidental key exposure in printed URLs.
This skill looks safe to use for read-only odds lookups. Before installing, be prepared to supply an Odds-API.io key, avoid pasting or sharing URLs that include apiKey, and do not override --base-url unless you trust the destination.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Odds-API.io key may be used to query the provider and consume quota.
The skill needs a user-provided Odds-API.io credential. This is purpose-aligned and disclosed, but users should understand that the agent can use that key to make provider API requests.
Provide the API key via `ODDS_API_KEY` or `--api-key` (never store it in this skill).
Provide the key only when needed, prefer an environment variable over pasting it into chat, and use a key scoped/rotatable for this service.
If a dry-run URL is shared or logged, it may reveal the API key.
For authenticated commands, the helper includes the API key in the query string and dry-run mode prints the full URL, which can expose the key in terminal output or copied logs.
"apiKey": api_key, ... if args.dry_run:
print(url)Do not share dry-run output from authenticated commands; consider masking the apiKey value before displaying or copying URLs.
If the base URL is changed to an untrusted server, requests could be sent somewhere other than Odds-API.io.
The CLI defaults to the expected Odds-API.io endpoint, but it also allows the request destination to be changed.
parser.add_argument("--base-url", default=DEFAULT_BASE_URL, help="API base URL")Use the default base URL unless you are intentionally testing against a trusted endpoint.