Back to skill
Skillv1.0.2
ClawScan security
Bracket Oracle · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 5:59 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and optional environment variables are consistent with a March Madness bracket generator that fetches Torvik/KenPom/ESPN data, and nothing in the bundle appears disproportionate or unrelated to that purpose.
- Guidance
- This skill appears coherent and implements what it claims: it will make outgoing HTTP requests to Bart Torvik, ESPN (and optionally KenPom), and it caches JSON under a local data/ folder. If you plan to use KenPom features, provide only a dedicated KenPom credential and be aware those credentials are used for logging into that service. If you have concerns about network access or local caching, run the skill in an isolated environment (virtualenv/container) or review the included source files (they are small and readable). Finally, the SKILL.md references a GitHub repo for agent competitions — check that external repo if you intend to submit brackets.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: code fetches Bart Torvik JSON, optionally KenPom (requires credentials), and ESPN public picks; simulation, optimizer, and data/model modules implement the described functionality. There are no requests for unrelated services or credentials.
- Instruction Scope
- okSKILL.md directs the agent to run the included Python modules. The runtime instructions and code perform network calls only to the stated data sources (barttorvik.com, ESPN public picks URL, and optional KenPom). The code reads/writes cache files under a local data/ directory and does not instruct reading unrelated system files or environment variables beyond the optional KenPom creds.
- Install Mechanism
- okNo install spec is provided (instruction-only at registry level), and the README lists minimal Python dependencies (requests, optional kenpompy). No downloaded archives, URL shorteners, or remote installers are used by the bundle itself.
- Credentials
- okNo required environment variables are declared; only optional KENPOM_EMAIL and KENPOM_PASSWORD are referenced for the KenPom pathway which legitimately requires credentials. No other SECRET/TOKEN/PASSWORD variables are requested.
- Persistence & Privilege
- okSkill does not request always:true and does not modify other skills. It creates a local data/ cache directory for fetched data (expected behavior) but does not escalate privileges or alter system-wide agent settings.