Skillv1.0.0

ClawScan security

Football Transfer Intel — Truth Meter & Rumour Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 11:46 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a football rumour/verification service and the single required credential (RT_API_KEY) is appropriate for that purpose.
Guidance: This skill appears internally consistent and only needs an RT_API_KEY to call api.risingtransfers.com. Before installing: (1) confirm you trust Rising Transfers and review their privacy/retention and pricing pages (the skill says query logs are kept up to 24 hours); (2) avoid sending any sensitive personal data in queries — the skill will forward player/club names to the external API; (3) verify the exact API endpoints and header requirements on the provider's docs (SKILL.md contains minor endpoint-name inconsistencies and an ambiguous note about the key being optional for hot topics); and (4) monitor credit usage if you plan many detailed queries. Overall, nothing here is disproportionate to the stated purpose.

Review Dimensions

Purpose & Capability: okName/description (transfer rumour tracking, Truth Meter) align with the declared requirements: a single RT_API_KEY for authenticated calls and no required binaries or config paths. Requesting an API key is expected for a third‑party intelligence API.
Instruction Scope: noteSKILL.md instructs only HTTP calls to api.risingtransfers.com and states only player/club names are sent; it does not instruct reading local files or other env vars. Minor inconsistencies in endpoint naming (e.g., paths using /intelligence/ vs /intel/) and an ambiguous note that the API key header is "optional" for hot topics are present but do not indicate extra data exfiltration. The claim that "no conversation history is transmitted" matches the explicit API call instructions, but cannot be independently verified from an instruction‑only skill.
Install Mechanism: okNo install spec or code is included (instruction-only). Nothing is downloaded or written to disk by the skill itself, which minimizes install-time risk.
Credentials: okOnly one environment variable is required (RT_API_KEY), which is appropriate and proportional for a service that charges credits and authenticates requests. No unrelated credentials or sensitive system paths are requested.
Persistence & Privilege: okSkill does not request always:true, does not attempt to modify other skills or system settings, and has no install-time persistence. Autonomous invocation is allowed (platform default) but is not accompanied by unusual privileges.