Find Football Thing 2026
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to be a read-only Gumtree UK football-listing helper, with low-risk setup and URL-scoping caveats users should notice.
This looks safe for read-only Gumtree searching if you trust the source and bb-browser package. Keep usage to Gumtree URLs, treat seller descriptions and ticket listings as unverified, follow Gumtree and ticket-resale rules, and never let the agent arrange off-platform payments.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the dependency or copying the scripts gives bb-browser a persistent Gumtree site adapter on the user's machine.
The skill relies on an external, unpinned global npm tool and manual copying of helper scripts into a persistent bb-browser directory. This is expected for the stated bb-browser integration, but it is still a supply-chain/setup point users should review.
[bb-browser](https://www.npmjs.com/package/bb-browser) (`npm i -g bb-browser`). ... cp bb-sites/gumtree/search.js ~/.bb-browser/sites/gumtree/search.js
Install bb-browser only from the trusted npm source, inspect the two included scripts before copying them, and remove them from ~/.bb-browser/sites/gumtree if no longer needed.
If an agent or user supplies a non-Gumtree full URL, the helper may fetch an unrelated page instead of staying within the intended Gumtree listing scope.
Relative paths are forced to gumtree.com, but full http/https URLs are fetched as supplied. For a Gumtree listing tool, host validation would better enforce the stated scope.
if (!path.startsWith('http')) { ... path = 'https://www.gumtree.com' + path; } const resp = await fetch(path, {Use this command only with Gumtree URLs or paths; maintainers should add explicit host validation for www.gumtree.com before fetching full URLs.