Soccer Cli
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: soccer-cli Version: 1.0.1 The skill bundle is a benign command-line interface for checking soccer scores and stats. The `install.sh` script transparently builds a local Go binary and places it in `~/.local/bin`. The Go code correctly reads an API key from `~/.config/soccer-cli/config.yaml` (or environment variables via `viper.AutomaticEnv()`) and uses it to authenticate with the legitimate `v3.football.api-sports.io` API. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` or `README.md`. All actions align with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You will need to provide an API-Football key, which may be subject to provider rate limits, account controls, or billing terms.
The CLI uses a configured API key to authenticate to API-Football. This is purpose-aligned and disclosed in the documentation, but it is still credential use that users should protect.
req.Header.Set("x-apisports-key", c.ApiKey)Use a dedicated low-privilege or free-tier API key if possible, keep the config file private, and rotate the key if it is exposed.
Running the installer adds a soccer-cli executable to your PATH area, so future terminal commands may invoke it.
The installer compiles the Go program and places the resulting executable in the user's local bin directory. This is normal for a CLI tool and is user-directed, but it is still local code execution and installation.
go build -o soccer-cli main.go ... mv soccer-cli "$INSTALL_DIR/"
Run the installer only intentionally, review the source if desired, and ensure ~/.local/bin is managed as a trusted location.
It may be harder to verify the package origin, update history, or dependency provenance from registry metadata alone.
The registry metadata does not provide a verified source or homepage, even though the README references a GitHub repository. The included source appears coherent, so this is a provenance note rather than a concern.
Source: unknown; Homepage: none
Prefer installing from a verified repository or compare the included files with the claimed upstream project before trusting updates.