ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cricket Live

v1.0.0

Provides real-time live cricket scores, detailed scorecards, upcoming matches, recent results, IPL standings, and match alerts using CricketData.org API.

1· 665·0 current·0 all-time
byHarshil Mathur@harshilmathur
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The scripts and SKILL.md implement live scores, match search, IPL features, caching, and cron alerts and require an API key plus curl/jq — all appropriate for the stated purpose. NOTE: registry metadata at the top claims no required env vars/binaries, but skill.json and SKILL.md/do scripts require CRICKET_API_KEY and binaries (curl, jq). Also the top-level 'Source/Homepage: unknown/none' contradicts skill.json which points to a GitHub repo. These metadata inconsistencies are likely packaging/metadata issues rather than malicious behavior, but you should verify the source before trusting it.
Instruction Scope
Runtime instructions and scripts only read their bundled config files (config/*.yaml), use /tmp for cache/state, and call the CricketData API (api.cricapi.com / api.cricketdata.org). They do not attempt to read unrelated system files, other skills' config, or transmit data to unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only), and all code is included in the package as plain shell scripts. No remote downloads or installers are invoked. The scripts require bash >=4, curl, and jq to be present on the system.
Credentials
The only sensitive input requested is CRICKET_API_KEY (declared in skill.json and documented in SKILL.md), which is appropriate for an API client. The scripts optionally read config/cricket.yaml if the env var is absent. No other credentials, tokens, or unrelated environment variables are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It stores cache and transient state in /tmp (configurable), which is normal for a cron/CLI alert script.
Assessment
This skill appears to do what it says: a shell-based cricket scores client that needs an API key and the standard CLI tools (curl, jq). Before installing: 1) Verify the author/source — top-level metadata in the registry is inconsistent with skill.json (homepage/source fields point to a GitHub repo but registry lists 'unknown'); review that repository or the package files to ensure they match what you expect. 2) Provide only the CricketData API key (CRICKET_API_KEY); prefer setting it as an environment variable rather than embedding it in persistent files. 3) Ensure curl and jq are installed. 4) Note the scripts cache and keep state in /tmp; if you run alerts in cron, point cron to the correct script path and be aware of API quota (free tier ~100 calls/day). 5) If you need higher assurance, inspect the referenced GitHub repo and the scripts directly before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk975d0n229a4e91wdw03jh3ze9819c3f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments