ClawHub

Sports Events Query

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward sports lookup skill that calls TheSportsDB and shows no evidence of hidden access, credential use, persistence, or destructive behavior.

Install this if you are comfortable with sports query terms being sent to TheSportsDB and with installing the Python `requests` dependency. Use a virtual environment if possible, and expect some command output labels to be in Chinese unless the skill is updated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation description is broad enough to trigger on many generic sports-related questions, which can cause the agent to invoke this skill unnecessarily. Over-broad routing increases unintended third-party data disclosure and can override better-suited local or safer handling paths.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The skill states it uses an external API but does not warn that user sports queries may be sent to a third-party service. This creates a transparency and privacy issue because users may provide names, preferences, or other contextual data without realizing it leaves the local system.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The examples demonstrate output in Chinese without documenting that language behavior or obtaining user preference, which can lead to confusing or misleading responses. In an agent setting, undocumented language forcing can cause incorrect assumptions about user intent, accessibility issues, and reduced trust in the system's behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal