Skillv1.0.3

ClawScan security

NBA Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 16, 2026, 5:04 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and behavior align with its stated purpose (fetching NBA data via the nba_api library); it requests no credentials and has no unusual install steps, though the bundled examples and script contain sloppy bugs and a truncated calendar example that you should review before running.
Guidance: This skill appears to be what it claims: an nba_api-based viewer for schedules, scores, injuries and simple alerts. Before installing or running it: 1) review/trim the truncated calendar example — any use of subprocess or system calls to modify calendars can run shell commands on your machine, so only run that part if you trust the code and understand the commands; 2) test the included script in a sandbox or non-production environment (there are some coding inconsistencies/typos that could raise exceptions); 3) since the skill uses live NBA endpoints, expect network requests and rate limits; 4) no credentials are required, which reduces risk, but always inspect third-party example code (especially anything that spawns subprocesses or writes to system calendars) before use.

Purpose & Capability: okName/description (NBA schedules, scores, injuries, calendar add) match the code and SKILL.md examples which use nba_api and pandas. Declared dependencies (nba_api, pandas) are appropriate and no unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md and code only call the nba_api endpoints and show examples for schedules, player stats, live scores and 'crunch time' alerts. One example (truncated) mentions adding games to Apple Calendar and earlier SKILL.md snippets import subprocess for that task — that could invoke system commands if followed, so review any calendar-related example code before running. Otherwise, examples do not ask the agent to read unrelated system files or exfiltrate data.
Install Mechanism: okNo install spec is provided; SKILL.md instructs users to pip install nba_api and pandas which is expected. No downloads from untrusted URLs or archive extraction steps are present.
Credentials: okThe skill requests no environment variables or credentials. The API usage relies on public nba_api library calls; optional proxy/custom headers are supported by the underlying library (user-supplied), which is reasonable for networking/troubleshooting.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide privileges or alter other skills. Model invocation is allowed (platform default) but there are no additional persistent actions in the files.