CLV Tracker — Closing Line Value

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local betting-performance tracker that stores bet history in a local SQLite database and uses an odds API key, with no evidence of hidden or destructive behavior.

Install only if you are comfortable storing betting history locally in ~/.openclaw/data/clv.db and providing an Odds API key. Treat the database as sensitive personal data and review commands before running them with real bet details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to persist betting records into a local SQLite database at a fixed path in the user's home directory, but it does not warn the user that data will be stored persistently or explain the privacy and retention implications. Because bet history can reveal sensitive behavioral, financial, or gambling-related information, silent persistence increases the risk of unintentional data collection and later exposure to other local tools, users, or backups.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal