ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NBA-games

v1.0.1

Gets upcoming and/or recent NBA game results for a specified team. Use this skill when asked about scheduled, upcoming, or past games for any NBA team.

0· 71·0 current·0 all-time
by@highdeserthacker
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with what the instructions do: fetch NBA schedules/results. Declared runtime requirement (python3) is proportionate and there are no unexpected credential or config demands.
!
Instruction Scope
The SKILL.md instructs to curl a remote Python script and then run it. That gives the downloaded script full ability to execute arbitrary Python on the host. Additionally, the Team ID lookup example uses a different hard-coded path (/home/node/python/...) than the install path ($HOME/.openclaw/skills/...), indicating sloppy or inconsistent instructions that could lead to accidental execution of other files or confusion.
!
Install Mechanism
No packaged install; the install step downloads a single Python file from raw.githubusercontent.com and saves it under the user's home. While GitHub raw URLs are common, the download is unpinned (no specific commit/tag) and no checksum/signature is provided — running the file executes arbitrary third‑party code, which is a notable risk.
Credentials
The skill declares no environment variables, credentials, or config paths. That is appropriate for its purpose. Note: the downloaded script, once run, could itself read environment variables or files even though none are declared in the skill metadata.
Persistence & Privilege
The install writes a file to $HOME/.openclaw/skills/nba_games/nba-schedule.py, which is typical for instruction-based skills. The skill is not marked always:true and does not request system-wide privileges, but it does create and later execute a file in the user's home directory — consider this a modest persistence surface.
What to consider before installing
This skill does what it says (fetch NBA games) but its install step asks you to download and run a third-party Python script from GitHub without pinning the commit or providing a checksum. That script would run with whatever privileges your agent has and could read files or exfiltrate data. Before installing: (1) review the script at the provided GitHub URL yourself; (2) ask the publisher to pin to a specific commit or provide a checksum/signature; (3) prefer executing the script in a sandbox or container; (4) request the skill bundle include the code (so it can be statically reviewed) or replace it with a well-known, audited package or an official API. Also ask the maintainer to fix the inconsistent path in the Team ID lookup example.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e4tnmefwtmy98cm662s9gzx84f742

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments