Football Automated Value Betting

What to consider before installing: - The skill asks you to provide an API key and betting-account credentials but does not declare any env vars for secure injection; instead an api_key-like value is embedded in the shipped JSON. Treat that as a red flag: do not assume the embedded key is safe or valid. - Automated betting carries real financial and legal risk. Confirm local laws permit this activity and be prepared for monetary loss. - If you proceed, require the developer to: (1) remove hard-coded secrets from shipped files, (2) declare required environment variables (e.g., ODDS_API_KEY, SINGBET_USER / SINGBET_PASS or token) so you can supply credentials securely, and (3) provide a clear, auditable implementation of how bets are executed (authentication, endpoints, and error handling). - Prefer to test in a sandbox: run the skill in an isolated environment with fake/test credentials and no real funds before enabling any real execution. If the embedded api_key is real, rotate/revoke it. - If you need a quick safety checklist: ask the author for (A) explicit list of required secrets, (B) proof that the skill does not exfiltrate local files or unrelated credentials, and (C) assurance that actual bet execution is gated behind an explicit, user-confirmed step (not fully autonomous). Confidence note: assessment is medium confidence because the code is short and the actual bet-execution is a placeholder; the main issues are the credential handling inconsistencies and the presence of a hard-coded api_key in the config JSON.