ClawHub

MLB Daily Scores

Security checks across malware telemetry and agentic risk

Overview

This skill coherently fetches public MLB data for a configured team and has no evidence of hidden data collection or destructive behavior.

Install this if you are comfortable with it creating a local Python virtual environment, installing its Python dependencies, reading its team/timezone config, and making MLB Stats API requests. Use the slash command or configure cron only for channels where daily baseball updates are wanted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions, yet its metadata and instructions clearly invoke shell commands, create/use a virtual environment, read user config files, and access the network via the MLB API. This mismatch weakens the platform's trust and review model because users and tooling cannot accurately understand the skill's real capabilities before installation or execution.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The README suggests triggering the skill with a natural-language request like "What happened in the Yankees game yesterday?", which is broad enough to overlap with ordinary sports conversation. In assistants that route messages to skills based on semantic similarity, this can cause unintended invocation, data fetching, or channel output when the user did not explicitly intend to run the skill.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The manual invocation examples are broad natural-language phrases like "Give me today's MLB update," which could cause the skill to trigger unintentionally during normal conversation. That increases the chance of surprise execution of its shell/network workflow, especially for a user-invocable skill with scheduled and on-demand behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal