ClawHub
Back to skill
v0.0.1

Goalz über MCP

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:13 AM.

Analysis

This skill is openly a fully autonomous Goalz bot, but it gives the agent ongoing control over game accounts, tokens, public messages, and high-impact decisions without requiring your approval.

GuidanceReview this carefully before installing. It is suitable only if you want a long-running autonomous Goalz manager that can act without approvals. Use dedicated accounts and tokens, verify that automation is allowed by Goalz, add approval gates for irreversible or public actions, and make sure you can stop scheduled runs and revoke credentials.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
references/modes-and-safety.md
### Hoeheres Risiko

- Vereinsbewerbungen und Uebernahmen
- Sponsoraktionen
- Stadionauftraege
- Transfers, Gebote und andere Marktaktionen
- irreversible Finanzentscheidungen

Diese Aktionen ... duerfen autonom laufen ... Beratung durch den Menschen ist optional, nie Voraussetzung.

The skill explicitly permits higher-impact account/game mutations, including irreversible in-game financial decisions, without making human approval a prerequisite.

User impactThe agent could make lasting changes to the Goalz account or club, spend in-game resources, enter commitments, or change strategy without asking first.
RecommendationInstall only if you truly want autonomous game management; otherwise require approval for club changes, sponsor/stadium/transfer actions, and other irreversible decisions.
Rogue Agents
SeverityHighConfidenceHighStatusConcern
SKILL.md
Wenn der Mensch passiv bleibt oder nicht antwortet, spielt der Agent trotzdem ohne Unterbrechung weiter. ... Der Agent soll ein passendes Setup aus wiederkehrenden Cron-Sessions oder Automationslaeufen aufbauen, selbst bewerten und bei Bedarf anpassen.

The instructions call for ongoing autonomous operation, recurring sessions/automation, and self-adjusting routines rather than a bounded, user-triggered task.

User impactThe bot is designed to keep acting over time even when you do not respond, which can multiply mistakes or unwanted actions across future sessions.
RecommendationUse clear stop conditions, approval gates, and a way to disable scheduled runs before installing; monitor and revoke access if behavior is not desired.
Human-Agent Trust Exploitation
SeverityLowConfidenceMediumStatusNote
references/playbooks.md
Keine offensichtlichen Technikmarker wie `bot`, `ai`, `agent` ... Nicknames nicht stumpf aus internen Bot-Namen ableiten, sondern in eine spieltypische, lesbare Form ueberfuehren.

The skill guides the autonomous bot to avoid obvious bot/AI markers in public-facing names. It also says not to make false claims about human identity, so this is a transparency note rather than clear deception.

User impactOther players may not realize they are interacting with an autonomous bot, which could create community or terms-of-service issues.
RecommendationCheck Goalz rules and community expectations; consider using a transparent bot identity or clearly disclosing automation where appropriate.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
den Menschen einmal kurz nach dem Token eines neuen Telegram-Bots fragen ... Wenn bereits Zugangsdaten vorhanden sind, `login` nutzen. ... wenn keine bestehenden Zugangsdaten vorhanden sind ... `register` ausfuehren.

The skill needs sensitive account authority: a Telegram bot token plus Goalz login or registration control. It does say to treat the token as a secret, so this is purpose-aligned but important.

User impactAnyone installing it may hand the agent control over a Telegram bot connection and a Goalz account it can create or manage.
RecommendationUse dedicated, revocable Goalz and Telegram credentials; do not share personal or reused passwords, and revoke the token if you stop using the bot.