Back to skill

Security audit

World Cup 2026 Odds Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a simple read-only World Cup odds lookup skill that uses a disclosed Odds API key and has no evidence of hidden behavior, persistence, or destructive actions.

Install only if you are comfortable using a limited-purpose The Odds API key for World Cup odds lookups. Avoid sharing logs or command histories that include the full request URL, and prefer a scoped or low-risk API key because the skill passes it to The Odds API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

External Transmission

Medium
Category
Data Exfiltration
Content
Fetch which teams are favored to win the 2026 World Cup across all sportsbooks:

```bash
curl -s "https://api.the-odds-api.com/v4/sports/soccer_fifa_world_cup_winner/odds?apiKey=$ODDS_API_KEY&regions=us&markets=outrights&oddsFormat=american" \
  | jq '[.[] | {
    market: .away_team // "Outright Winner",
    books: [.bookmakers[] | {
Confidence
90% confidence
Finding
https://api.the-odds-api.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.