ClawHub
Back to skill
v1.0.0

Odds for sports events

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:53 AM.

Analysis

The skill mostly matches its advertised odds-query purpose, but review before use because its dry-run and custom-endpoint options can expose the user’s Odds-API key.

GuidanceUse this only with a scoped, revocable Odds-API key. Do not share dry-run URLs or command output, keep the default Odds-API.io base URL unless you fully trust an alternate endpoint, and prefer a masked or placeholder key when testing.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/odds_api.py
DEFAULT_BASE_URL = "https://api.odds-api.io/v3"
...
parser.add_argument("--base-url", default=DEFAULT_BASE_URL, help="API base URL")
...
url = build_url(args.base_url, "/events/search", params)

The helper defaults to the official Odds-API.io URL, but callers can override the base URL used for credentialed requests. This appears testing-oriented, but it broadens where requests can be sent.

User impactIf an untrusted or mistaken base URL is used, requests may go to a non-official endpoint, potentially including the API key in the query string.
RecommendationKeep the default base URL unless the alternate endpoint is trusted. Maintainers should warn clearly about this option or restrict it for credentialed calls.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
scripts/odds_api.py
api_key = get_api_key(args, required=True)
params = {"apiKey": api_key, "query": args.query}
url = build_url(args.base_url, "/events/search", params)
if args.dry_run:
    print(url)

For credential-required commands, the API key is placed in the query string and dry-run prints the full URL, which can disclose the key in terminal output, logs, or chat transcripts.

User impactA copied dry-run URL or captured command output could reveal the user’s Odds-API key and allow unauthorized use of that API account or quota.
RecommendationDo not share dry-run output. Prefer a limited, revocable API key, avoid passing keys via command-line history, and update the helper to mask apiKey in dry-run output or use a placeholder before printing.
Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
metadata
Required env vars: none
Env var declarations: none
Primary credential: none

The SKILL.md states that the skill requires a user-provided API key, so the registry metadata under-declares the credential requirement. Because the key requirement is disclosed in the skill text, this is a visibility note rather than a standalone concern.

User impactUsers or installers relying only on metadata may not realize the skill needs an API credential.
RecommendationDeclare the Odds-API key as the primary credential and document ODDS_API_KEY in metadata.