Soccer Cli
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward soccer-results CLI that uses a user-provided API-Football key and a local installer, with no evidence of hidden or destructive behavior.
This skill looks safe for its stated purpose. Before installing, be comfortable running a local Go build script, storing an API-Football key in a config file, and trusting a package whose registry metadata does not identify a verified source homepage.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You will need to provide an API-Football key, which may be subject to provider rate limits, account controls, or billing terms.
The CLI uses a configured API key to authenticate to API-Football. This is purpose-aligned and disclosed in the documentation, but it is still credential use that users should protect.
req.Header.Set("x-apisports-key", c.ApiKey)Use a dedicated low-privilege or free-tier API key if possible, keep the config file private, and rotate the key if it is exposed.
Running the installer adds a soccer-cli executable to your PATH area, so future terminal commands may invoke it.
The installer compiles the Go program and places the resulting executable in the user's local bin directory. This is normal for a CLI tool and is user-directed, but it is still local code execution and installation.
go build -o soccer-cli main.go ... mv soccer-cli "$INSTALL_DIR/"
Run the installer only intentionally, review the source if desired, and ensure ~/.local/bin is managed as a trusted location.
It may be harder to verify the package origin, update history, or dependency provenance from registry metadata alone.
The registry metadata does not provide a verified source or homepage, even though the README references a GitHub repository. The included source appears coherent, so this is a provenance note rather than a concern.
Source: unknown; Homepage: none
Prefer installing from a verified repository or compare the included files with the claimed upstream project before trusting updates.