Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
CLV Tracker — Closing Line Value
v1.1.0Track Closing Line Value — the gold standard for measuring betting edge. Log placement odds, fetch closing lines, compute CLV, and generate performance repor...
⭐ 0· 81·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to 'fetch closing lines' and compute CLV, but the SKILL.md only shows a local 'Log a Bet' sqlite insertion. SKILL.md metadata declares an 'ODDS_API_KEY' credential and requires curl and jq (which would be appropriate for calling an odds API), yet the top-level registry metadata lists no required env vars and the runtime instructions do not show any API calls or use of curl/jq. This mismatch suggests the implementation is incomplete or the manifest is inconsistent.
Instruction Scope
Instructions are limited to computing a placement probability via inline python and inserting a record into ~/.openclaw/data/clv.db. That scope is reasonable for logging, but there are two concerns: (1) missing instructions for retrieving closing lines (contradicts feature claims), and (2) the example inserts user-replaced tokens directly into a shell command / SQL statement, which risks SQL or shell injection if replacements aren't properly escaped by the agent.
Install Mechanism
Instruction-only skill with no install spec and no code files — low installation risk. Nothing is downloaded or written by an installer step.
Credentials
SKILL.md declares a credential (The Odds API Key → ODDS_API_KEY) which is appropriate for fetching closing lines, but the skill registry lists no required env vars and the instructions don't use the key. Required binaries include curl and jq although the provided runtime snippet doesn't use them. This inconsistency makes it unclear whether the skill will request or use credentials; users could be asked to provide an API key that the manifest currently doesn't declare.
Persistence & Privilege
The skill writes to and reads from a local DB at ~/.openclaw/data/clv.db; it does not request elevated privileges, system-wide configuration changes, or 'always' inclusion. This is expected for a local tracking tool.
What to consider before installing
This skill is plausible for tracking bets, but the package is inconsistent: the SKILL.md mentions an odds API credential and requires curl/jq, yet the runtime instructions only show a local sqlite insertion and the registry lists no env vars. Before installing or providing any API keys: (1) ask the publisher for the full runtime instructions for fetching closing lines and confirm how ODDS_API_KEY will be used and stored; (2) avoid pasting secrets until you see an explicit, justified env declaration and safe handling; (3) verify how user input is escaped—the example substitutes tokens directly into shell/SQL commands which can enable injection if not sanitized; (4) consider running the skill in a sandbox or inspecting any implementation code (if provided later) to confirm network endpoints and data flows. If the publisher cannot clarify these mismatches, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
agentbetsvk973c7bd16468t31yjzr59n95x83h8ehbettingvk973c7bd16468t31yjzr59n95x83h8ehlatestvk973c7bd16468t31yjzr59n95x83h8ehopenclawvk973c7bd16468t31yjzr59n95x83h8ehprediction-marketsvk973c7bd16468t31yjzr59n95x83h8ehsports-bettingvk973c7bd16468t31yjzr59n95x83h8eh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
Binssqlite3, curl, jq, python3