!
Purpose & Capability
The skill's code implements the advertised betting/odds analysis functionality and calls public football/odds APIs, which is coherent. However, the package also integrates an external billing system (SkillPay) with a hard-coded BILLING_API_KEY in payment.py and meta.json declaring payment envs, while the registry metadata at the top reports no required env vars — this is inconsistent and not proportional to a pure analysis tool.
!
Instruction Scope
SKILL.md describes the feature set and notes SkillPay billing, but does not clearly declare required environment variables. The code (payment.py) reads SKILLPAY_USER_ID from the environment and will call external billing endpoints; analyzer.py reads FOOTBALL_API_KEY from FOOTBALL_API_KEY env if present. There are instructions/paths (14_matches_recommendation.py inserts '~/.openclaw/workspace/skills/...') that assume access to local skill workspace. The billing logic can cause network requests involving the user's ID and will attempt to charge via skillpay.me — this behavior is not fully declared in the top-level requirements.
ℹ
Install Mechanism
No install spec (instruction-only in registry) but the skill bundle includes Python code and a requirements.txt. There are no remote downloads or extract steps in an install script. Risk arises from the included code itself (it will run network calls when executed), but there is no installer that fetches arbitrary remote archives.
!
Credentials
The bundle and _meta.json indicate payment integration that expects SKILLPAY_USER_ID and an API key, yet the registry declares no required env vars. Worse, payment.py contains a hard-coded billing API key (BILLING_API_KEY) embedded in source — exposing a credential and granting the skill immediate ability to call the billing API. The credential usage and the sending of user_id to the billing endpoint are not justified solely by analytics functionality and are disproportionate unless the user explicitly consents to billing.
✓
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not request unusual system-wide privileges. It writes analysis outputs to a local outputs/ directory under the skill, which is expected for a local analyzer.
Scan Findings in Context
[hardcoded-secret:skillpay_billing_key] unexpected: payment.py contains a hard-coded BILLING_API_KEY value. A billing integration normally would use a server-side secret or require an operator-provided env var; embedding a secret in client-side skill code is a security and privacy concern.
What to consider before installing
What to consider before installing or running this skill:
- The code includes an integrated billing system (SkillPay) that will call https://skillpay.me and attempt to charge users. The billing key is embedded in the code and the skill reads SKILLPAY_USER_ID from your environment — be careful: your user_id would be sent to the billing endpoint and a charge attempted. If you do not want any automatic billing or external charge attempts, do not run this skill.
- The registry metadata and SKILL.md do not clearly declare the environment variables required for billing; ask the publisher to document required env vars and to remove any hard-coded keys. A proper design would require you to supply your own billing credentials (or have charges mediated by the platform), not ship with a secret in plain text.
- If you still want to use the functionality: inspect payment.py and consider removing or disabling billing calls before running, or run the skill in a tightly sandboxed environment (no network) while you audit it. Prefer running analyzer.py with network disabled or with only the data API keys you control.
- For privacy and financial safety: confirm who operates the skillpay.me endpoint and where funds go. Request proof the embedded key is intended for public use (if any) and ask for a safer implementation that uses server-side billing or explicit, documented prompts and consent before charging.
- Additional technical notes: 14_matches_recommendation.py modifies sys.path to a user-specific workspace path — harmless but unusual and brittle. The skill uses external APIs (API-Football) and will read FOOTBALL_API_KEY if set; supply only keys you control.
If you are not comfortable with potential automatic billing or with the hard-coded credential being present, do not install or run this skill. If you must use it, run it offline/locally after removing or stubbing out payment.py, or request a revised release that removes embedded secrets and clearly documents required environment variables and billing behavior.
