ClawHub

Lota Football

Security checks across malware telemetry and agentic risk

Overview

This football data skill is purpose-aligned, but it handles API keys in ways that can expose them, especially by defaulting to unencrypted HTTP and showing scheduled use with inline secrets.

Review before installing. Use an HTTPS LOTA_API_BASE_URL if supported, avoid putting the API key directly in shell history or crontab, restrict permissions on lota_data and logs, monitor API quota usage, and remove any cron job when continuous updates are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
83% confidence
Finding
The documentation tells users to export an API key and describes automated fetching, caching, and logging, but does not warn about protecting credentials or the sensitivity of locally written data/log files. This can lead to accidental exposure of API keys in shell history, process listings, cron configs, or logs, especially in shared environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script defaults to an unencrypted HTTP endpoint and conditionally sends an X-API-Key header to that endpoint. This exposes both response data and the API key to interception or manipulation by any network attacker in the path, which can lead to credential theft, tampered results, and unauthorized API use.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script defaults its API base URL to plain HTTP, so requests and responses can be intercepted or modified by any on-path attacker. Because the tool may send an API key in the X-API-Key header and consumes remote data without integrity protection, this creates both credential exposure and response tampering risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal