ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sports Odds Scanner

v1.1.0

Fetch live sports betting odds from 20+ sportsbooks and compare lines. Supports NFL, NBA, MLB, NHL, soccer, and 30+ sports. Use when asked about odds, lines,...

0· 102·0 current·0 all-time
by@rsquaredsolutions2026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match the instructions: it fetches odds from The Odds API and compares lines. Requested binaries (curl, jq) are appropriate. However, the registry metadata reported "Required env vars: none" while the SKILL.md includes a credential entry requiring ODDS_API_KEY — this mismatch should be resolved.
Instruction Scope
SKILL.md contains focused, minimal runtime instructions: example curl calls to https://api.the-odds-api.com using $ODDS_API_KEY and a jq filter. It does not instruct the agent to read unrelated files, system paths, or extra environment variables.
Install Mechanism
Instruction-only skill with no install spec and no code files. Low install risk because nothing is written to disk by the skill bundle itself.
!
Credentials
Functionally the skill only needs a single API key (ODDS_API_KEY) for The Odds API, which is proportionate. The concern is the conflicting metadata: the registry claims no required env vars while the SKILL.md requests ODDS_API_KEY. Also the skill's source/homepage are not authoritative (homepage none, source unknown) which increases risk around trust of any credential you supply.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. That is the platform default and not by itself a red flag.
Scan Findings in Context
[no-regex-findings] expected: No code files to scan; the bundle is instruction-only (SKILL.md). The static scanner had nothing to analyze.
What to consider before installing
This skill appears to legitimately call The Odds API and only needs an API key and curl/jq to work, but two things to check before installing: (1) confirm where the skill package came from and the publisher identity (source/homepage are missing); (2) confirm the registry metadata is updated to declare the ODDS_API_KEY requirement — do not paste high-privilege or shared credentials until you trust the publisher. If you proceed, create an API key scoped for The Odds API only, monitor its usage, and consider rotating or revoking it if anything unexpected appears. Autonomous invocation is allowed by default (normal), so the agent could call the API when the skill is used.

Like a lobster shell, security has layers — review code before you run it.

agentbetsvk979d75kqbjb4gxr48g43rr11983j4gebettingvk979d75kqbjb4gxr48g43rr11983j4gelatestvk979d75kqbjb4gxr48g43rr11983j4geopenclawvk979d75kqbjb4gxr48g43rr11983j4geprediction-marketsvk979d75kqbjb4gxr48g43rr11983j4gesports-bettingvk979d75kqbjb4gxr48g43rr11983j4ge

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binscurl, jq

Comments