Back to skill
Skillv1.0.0
ClawScan security
FPL(Fantasy Premier League) assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 6:47 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only FPL advisor that only uses public FPL API endpoints and user-provided squad information; its requests and instructions match its stated purpose and nothing appears disproportionate.
- Guidance
- This skill is an instruction-only FPL advisor and appears internally consistent. Before installing or using it: (1) recognize it will call public FPL API endpoints (no login needed) to fetch data; (2) you will need to provide your manager_id and your squad (including buy prices) — do not share any sensitive account passwords or tokens; (3) cloning the repository into a workspace is optional and under your control (no executables are included); (4) the skill has no homepage/source listed, so if you plan to rely on it long-term prefer a version from a known/trusted source or inspect the files yourself; (5) if you want to limit exposure, only provide minimal manager/squad info required for advice and avoid pasting unrelated personal data. Overall the skill looks coherent and proportional to its stated purpose.
Review Dimensions
- Purpose & Capability
- okSkill name/description (FPL assistant) aligns with what it does: gather user squad context, call public FPL API endpoints, and apply strategy guidance. It does not request unrelated credentials, binaries, or system resources.
- Instruction Scope
- okSKILL.md limits runtime actions to: asking the user for their squad/manager_id/budget/chips and calling public FPL API endpoints (bootstrap-static, fixtures, element-summary, manager picks). There are no instructions to read arbitrary system files, environment variables, or send data to third-party endpoints outside the documented FPL API.
- Install Mechanism
- okThere is no install spec and no code files to execute — the skill is documentation/instruction-only. The README suggests cloning into a workspace for convenience, which is an install-time action under user control and not required for the skill to function.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. Runtime requires only user-provided FPL manager/squad info (manager_id and squad), which is appropriate for its function.
- Persistence & Privilege
- okSkill does not request always:true and makes no system-wide changes. It can be invoked by triggers as expected; autonomous invocation is allowed by platform default but not unique to this skill.