Back to skill
Skillv1.0.0
ClawScan security
Cricket Live · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 2:31 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested access are coherent with a terminal-based cricket-scores tool that needs a single CricketData API key and the usual CLI tools (curl, jq).
- Guidance
- This skill appears to do what it says: a shell-based cricket scores client that needs an API key and the standard CLI tools (curl, jq). Before installing: 1) Verify the author/source — top-level metadata in the registry is inconsistent with skill.json (homepage/source fields point to a GitHub repo but registry lists 'unknown'); review that repository or the package files to ensure they match what you expect. 2) Provide only the CricketData API key (CRICKET_API_KEY); prefer setting it as an environment variable rather than embedding it in persistent files. 3) Ensure curl and jq are installed. 4) Note the scripts cache and keep state in /tmp; if you run alerts in cron, point cron to the correct script path and be aware of API quota (free tier ~100 calls/day). 5) If you need higher assurance, inspect the referenced GitHub repo and the scripts directly before use.
Review Dimensions
- Purpose & Capability
- noteThe scripts and SKILL.md implement live scores, match search, IPL features, caching, and cron alerts and require an API key plus curl/jq — all appropriate for the stated purpose. NOTE: registry metadata at the top claims no required env vars/binaries, but skill.json and SKILL.md/do scripts require CRICKET_API_KEY and binaries (curl, jq). Also the top-level 'Source/Homepage: unknown/none' contradicts skill.json which points to a GitHub repo. These metadata inconsistencies are likely packaging/metadata issues rather than malicious behavior, but you should verify the source before trusting it.
- Instruction Scope
- okRuntime instructions and scripts only read their bundled config files (config/*.yaml), use /tmp for cache/state, and call the CricketData API (api.cricapi.com / api.cricketdata.org). They do not attempt to read unrelated system files, other skills' config, or transmit data to unexpected endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only), and all code is included in the package as plain shell scripts. No remote downloads or installers are invoked. The scripts require bash >=4, curl, and jq to be present on the system.
- Credentials
- okThe only sensitive input requested is CRICKET_API_KEY (declared in skill.json and documented in SKILL.md), which is appropriate for an API client. The scripts optionally read config/cricket.yaml if the env var is absent. No other credentials, tokens, or unrelated environment variables are requested.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system-wide settings. It stores cache and transient state in /tmp (configurable), which is normal for a cron/CLI alert script.