Football Automated Value Betting
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is openly about automated real-money betting, but it lacks clear per-bet user approval and its code can report a bet as placed even though the actual betting integration is only a placeholder.
Review carefully before installing. This skill is designed around automated gambling and could create real financial loss if connected to a live account. Do not add real betting credentials unless you can enforce per-bet approval, external spending limits, and a secure credential store. Also note that the included code appears to simulate bet placement while returning a success message, so verify behavior in dry-run mode before trusting any results.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could attempt to make gambling decisions and place financial wagers without the user reviewing each bet first.
The agent is instructed to place real-money bets automatically based on strategy criteria, with no explicit per-bet user approval requirement; the daily exposure could reach $300.
"Execute bets ONLY when strategy criteria are met using `execute_singbet_bet`." ... "Maximum 30 bets per day" ... "Fixed Stake: $$10$$ USD per bet."
Require explicit user confirmation before every bet, default to dry-run mode, and enforce limits outside the model-controlled workflow.
Users may provide sensitive gambling-account credentials to a skill that does not clearly declare or bound how those credentials are handled.
The skill expects betting-account credentials, but the registry metadata declares no primary credential or required environment variables, leaving credential scope, storage, and use unclear.
"Account: You must have an active betting account" ... "Update the `config` section in the skill settings with your credentials."
Declare required credentials explicitly, use a secure credential store, limit account permissions and deposit exposure, and avoid placing real account credentials directly in skill settings.
A user could be misled into believing a real bet was placed or that transaction logs reflect actual account activity.
The function does not actually place a Singbet wager, but it returns a success message saying the bet was placed, which contradicts the advertised execution behavior.
# Placeholder for actual API/Web-automation logic ... return f"Bet Successfully Placed: {market} at {odds} for $${amount}$$."Return a clear dry-run or not-implemented result until a verified betting integration exists, and update the documentation to match the actual behavior.
It is harder for users to verify who maintains the skill or audit its origin before using it for financial activity.
The skill has limited provenance information, which is notable because it asks users to trust it with betting-account automation.
Source: unknown; Homepage: none
Only use this with accounts and funds you can afford to risk, and prefer skills with a verifiable source repository and maintainer.