football-value-bets
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: football-value-bets Version: 1.0.0 The skill is classified as suspicious due to significant prompt injection and shell injection vulnerabilities in SKILL.md. The AI agent is instructed to execute local Python scripts (`bet_tracker.py`, `match_fetcher.py`) by constructing shell commands that directly embed user-controlled input (e.g., `--date`, `--slip-idx`, `--days`, `--date-from`, `--date-to`). Without explicit sanitization instructions for the agent, a malicious user could inject arbitrary shell commands (e.g., `2026-02-15; rm -rf /`) into these arguments, leading to Remote Code Execution (RCE). Additionally, the `date_str` parameter in `bet_tracker.py` is used to construct file paths, posing a potential path traversal vulnerability if user input is not sanitized, allowing writes to unintended files within the skill's data or config directories.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may make football-data API calls and web searches using team and match information.
The skill directs the agent to run local scripts and perform web searches. This is expected for data-driven betting analysis, but users should know the agent will use external tools during normal operation.
Fetch current match data:
```bash
python3 {baseDir}/scripts/match_fetcher.py --mode full
```
...
After the data analysis, search the web for EVERY shortlisted matchUse the skill when you are comfortable with external match/news lookups, and review the generated bet slip before acting on it.
The skill can use your football-data.org API quota/account for match data requests.
The script reads the football-data.org API key from the environment or config file and sends it as the provider auth header. This is necessary for the stated API integration and does not show unrelated credential use.
key = os.environ.get("FOOTBALL_DATA_API_KEY", "") ... key = cfg.get("api_key", "") ... headers = {"X-Auth-Token": api_key}Use a dedicated low-privilege/free API key, prefer an environment variable over storing it in a file, and rotate the key if it is exposed.
Installing the dependency changes the local Python environment.
The skill asks the user to install the standard Python `requests` package. This is purpose-aligned for API access, but any package install adds normal dependency provenance risk.
Install dependencies (one-time): ```bash pip install requests ```
Install dependencies from a trusted package source, ideally in a virtual environment.
Your generated slips, stakes, results, ROI, and history may remain on disk for later stats/history use.
The tracker persists bet slips and cumulative statistics locally. This is aligned with the advertised result-tracking feature, but it creates a stored record of betting activity.
DATA_DIR = Path(__file__).resolve().parents[1] / "data" BETS_DIR = DATA_DIR / "bets" STATS_FILE = DATA_DIR / "stats.json"
Review or delete the skill's local `data` directory if you do not want betting history retained.