ClawHub

Yahoo Fantasy Baseball

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed read-only Yahoo Fantasy Baseball helper that stores Yahoo credentials locally and installs one pinned Python dependency during explicit setup.

Install only on a trusted machine, review the pinned yahoo_fantasy_api dependency before running --setup, and be comfortable storing Yahoo OAuth material locally. Revoke the Yahoo app/token and remove ~/.openclaw/credentials/yahoo-fantasy if you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Install requirements into the venv
    pip_cmd = [_VENV_PYTHON, "-m", "pip", "install", "-q", "-r", _REQUIREMENTS]
    subprocess.check_call(pip_cmd, stdout=sys.stderr, stderr=sys.stderr)

    print("Dependencies installed.", file=sys.stderr)
Confidence
83% confidence
Finding
subprocess.check_call(pip_cmd, stdout=sys.stderr, stderr=sys.stderr)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions, but the documented behavior clearly requires network access, shell execution, environment-variable access, and local file writes for setup, OAuth, and credential/config persistence. This is a real security issue because users and policy engines may rely on declared permissions to understand or constrain what the skill can do, and undeclared capabilities reduce transparency around credential handling and outbound access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill is described as read-only with no roster modifications, but the documented behavior also includes OAuth authentication, credential collection and storage, dependency installation, local persistence, and migration of legacy credential files. Even if these behaviors are not inherently malicious, the mismatch is security-relevant because it can cause users to grant trust to a seemingly simple read-only skill without realizing it performs setup, stores secrets on disk, and executes broader local actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal