Back to skill
Skillv1.0.13
ClawScan security
MLB Daily Scores · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 3:11 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and install steps are consistent with its stated purpose (fetching MLB data via the public MLB Stats API); it requests no unrelated credentials and its install steps are limited to creating a venv and installing Python packages from PyPI.
- Guidance
- This skill appears to do exactly what it says: create a local virtual environment, install MLB-StatsAPI and requests, read the skill entry in ~/.openclaw/openclaw.json, and query the public MLB Stats API to produce JSON for the agent to format and deliver. Before installing: (1) confirm you’re comfortable the cron/cron-target (--to) used in examples will deliver outputs to the intended channel/recipient; do not supply unrelated credentials or channel IDs you don't trust; (2) review the setup output when pip installs packages (run setup in an isolated environment if you prefer); (3) verify the .venv path and that the agent uses BASEDIR/.venv/bin/python3 as instructed; and (4) if concerned, scan the rest of fetch_mlb.py for any additional network calls (the visible code uses only MLB Stats API and optional requests). No API keys or unrelated system access are requested by this skill.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: fetch_mlb.py calls the MLB Stats API and (optionally) requests for injury info. The declared binary (python3), the .venv usage, and pip packages (MLB-StatsAPI, requests) are directly relevant to the stated purpose.
- Instruction Scope
- okSKILL.md instructs the agent to run the bundled fetch_mlb.py from the created .venv and to read the skill config from ~/.openclaw/openclaw.json. Those actions are necessary and proportional to producing the scheduled or on-demand report. The instructions do not ask the agent to access unrelated system files or transmit data to unexpected endpoints; network calls are limited to the MLB Stats API and any endpoints used by requests for injury reports.
- Install Mechanism
- okThere is no arbitrary remote archive download. setup.py and setup.sh create a .venv in the skill directory and install MLB-StatsAPI and requests from PyPI. This is a standard, expected install mechanism for a Python skill.
- Credentials
- okThe skill declares no required environment variables or credentials. It reads only the OpenClaw config file (~/.openclaw/openclaw.json) for its own skill configuration (team/timezone), which is proportionate to its functionality.
- Persistence & Privilege
- okalways is false and the skill runs only when invoked or scheduled. It creates a local .venv inside its own directory and does not request modification of other skills or system-wide config beyond the single OpenClaw config entry it documents.