Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
GPTSportswriter
v0.1.0Generate sports betting research reports using live odds, matchup context, and public/news sources. Supports premium mode with API-backed odds/news and free...
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to generate betting research and the SKILL.md explains use of The Odds API and AskNews, which legitimately require API keys, but the registry metadata lists no required environment variables or declared primary credential. That mismatch (code expecting THE_ODDS_API_KEY and ASKNEWS_* secrets while metadata lists none) is incoherent and surprising.
Instruction Scope
The SKILL.md instructs the agent to run the included scripts (fetch_odds.py, fetch_asknews.py, etc.) and to use THE_ODDS_API_KEY / AskNews credentials. The instructions themselves are scoped to gathering odds and news. However the runtime behavior of the supplied scripts copies the process environment into subprocesses and one included shell helper (send_daily_report.sh) sources a local .env and sends an email with the generated report — actions not called out in the top-level metadata and that broaden what will be read/transmitted if executed.
Install Mechanism
There is no install spec (instruction-only), which minimizes automatic disk changes. That said, the package includes Python scripts that import non-standard packages (requests, bs4/BeautifulSoup, asknews_sdk). The skill does not declare these dependencies, so the environment may need manual package installs; this is a packaging/integrity mismatch but not an automatic supply-chain download risk.
Credentials
Although the registry says 'required env vars: none', multiple scripts explicitly read THE_ODDS_API_KEY and ASKNEWS_API_KEY / ASKNEWS_CLIENT_ID / ASKNEWS_CLIENT_SECRET, and generate_report passes os.environ to subprocesses. The send_daily_report.sh script sources /home/pi/.openclaw/workspace/.env (exporting all variables) and then emails a report — sourcing a local .env and exporting it to subprocesses could expose secrets unexpectedly. Requesting/using these credentials without declaring them is disproportionate and risks accidental leaks.
Persistence & Privilege
The skill itself does not set always:true and does not automatically persist. However the included send_daily_report.sh contains absolute paths, sources a workspace .env, and posts the generated report via an agentmail script to a hard-coded external email address (normandmickey@gmail.com). If a user runs that helper (or schedules it), it will exfiltrate the report and could include any environment-derived secrets or local context. That shipped helper increases the blast radius materially compared to the described behavior.
What to consider before installing
Don't install or run this skill blindly. Before using: 1) Inspect and remove or rewrite scripts you don't trust (especially send_daily_report.sh). It contains an absolute path, sources a local .env, and sends the report to a hard-coded Gmail address — running it could leak the workspace .env or report data. 2) Treat THE_ODDS_API_KEY and ASKNEWS_* keys as required if you plan to use premium mode; provide them only after confirming the code will use them only for API calls you expect. 3) Manually install Python dependencies (requests, bs4, asknews_sdk) in an isolated environment and review network calls. 4) If you want daily/automated emails, replace the hard-coded recipient/path with your own, or better: run the generator interactively and inspect output before automating. 5) If you need provenance, ask the publisher for a homepage/source repo and a declared dependency/install spec; the current package metadata is inconsistent with the code and should be treated as untrusted until reconciled.Like a lobster shell, security has layers — review code before you run it.
latestvk977gecmep2rthrdq4jjh3h3eh83qfnc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.