Back to skill
Skillv0.1.3
ClawScan security
Baseball · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 22, 2026, 5:02 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions align with its stated purpose: it only needs python3 and makes requests to the public MLB Stats API; it does not request unrelated credentials or perform unexpected file or network access.
- Guidance
- This skill appears to do what it says: it runs local Python scripts that call the public MLB Stats API (statsapi.mlb.com) and prints results. It does not request secrets or access unrelated system files. Before installing, consider whether you are comfortable allowing the skill to make outbound network requests from your agent (the only external traffic is to the MLB API). If you have strict egress controls, you can restrict or monitor outbound calls to the MLB API host. If you want extra assurance, a quick code review of the included scripts in your environment confirms there are no hidden endpoints or credential leaks.
Review Dimensions
- Purpose & Capability
- okName/description (MLB schedules, live status, box scores, player search/stats) match the code and runtime instructions. The only required binary is python3, which is appropriate. The code only references MLB endpoints (statsapi.mlb.com) and an internal team map.
- Instruction Scope
- okSKILL.md instructs running the included Python scripts with specific subcommands and arguments. There are no instructions to read unrelated files, prompt for secrets, or transmit data to non-MLB endpoints. The documentation uses an absolute workspace path (/home/claw/.openclaw/...), which is consistent with the agent runtime and not a security concern here.
- Install Mechanism
- okNo install spec is provided; the skill is delivered as scripts and docs. No third-party downloads, package managers, or extract/install steps are present.
- Credentials
- okNo environment variables, credentials, or config paths are required. The skill does outbound network calls to the MLB Stats API only, which is necessary for its function.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent platform privileges. Model invocation is not disabled (default), which is normal for user-invocable skills and reasonable here.