Back to skill
Skillv1.0.1
ClawScan security
Polymarket Sports Arbitrage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 21, 2026, 3:47 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and minimal requirements align with its stated purpose of scanning The Odds API for sports arbitrage; nothing in the bundle requests unrelated credentials or makes unexpected external calls.
- Guidance
- This skill appears internally consistent and does what it says: pull odds from The Odds API (or use demo data), detect arbs, and save results. Before installing: (1) confirm you trust the source since the code will make outbound HTTP requests; (2) if you supply an ODDS_API_KEY, ensure it has only the permissions you expect and rotate it if shared; (3) be aware it writes results to RESULTS_FILE (default /tmp) which is world-readable on many systems—point RESULTS_FILE to a safer location if needed; (4) clawhub.json schedules runs every 30 minutes—verify you want periodic scanning and network usage; (5) review the full sports_arbitrage.py locally if you need higher assurance (the presented portions are consistent, but always-audit code from unknown sources). Finally, consider legal/regulatory and personal-responsibility aspects of interacting with betting APIs in your jurisdiction.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the skill fetches odds (The Odds API), computes implied probabilities and stake splits, and logs/arbs results. Declared dependency (requests) and optional ODDS_API_KEY are appropriate for this purpose.
- Instruction Scope
- okSKILL.md instructions describe fetching odds, using demo data when no API key is present, filtering by MIN_PROFIT_PCT, and writing results to RESULTS_FILE (default /tmp). The code follows this behaviour and does not request unrelated files, secrets, or hidden network endpoints in the visible sources.
- Install Mechanism
- okNo custom install script is present. clawhub.json declares a pip dependency on 'requests', which is proportionate to the task (HTTP requests). No third-party binaries, unusual downloads, or archive extraction steps are present.
- Credentials
- okOnly optional environment variables declared (ODDS_API_KEY, MIN_PROFIT_PCT, TOTAL_STAKE, SPORTS, RESULTS_FILE). These directly map to the skill's behaviour; no unrelated secrets or multiple unrelated credentials are requested.
- Persistence & Privilege
- noteThe skill is an automaton with a cron schedule in clawhub.json (*/30 * * * *) so it will run periodically if installed. always:true is not set and there is no code that modifies other skills or system-wide configs. Note: autonomous invocation is enabled (platform default).