ClawHub

Football Betting Analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill is a football betting analyzer, but it includes embedded billing code that can charge a SkillPay user ID and should be reviewed before installation.

Install only if you expect SkillPay billing and trust the publisher and skillpay.me. Be aware that the included payment helper can send a SkillPay user ID to the billing service and attempt a 0.01 USDT charge; the football analysis code itself appears ordinary, but the payment implementation needs careful review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
返回: {"ok": bool, "balance": float, "payment_url": str|None}
    """
    try:
        resp = requests.post(
            f"{BILLING_API_URL}/api/v1/billing/charge",
            headers=HEADERS,
            json={
Confidence
97% confidence
Finding
resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={ "user_id": user_id, "skill_id": SK

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises capabilities that imply environment access, file writing, and network use, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users and the platform cannot accurately evaluate or constrain what the skill may access or modify, especially when combined with payment and external API interactions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose focuses on football betting analysis, but the skill also integrates billing flows and external service calls that are not clearly disclosed in the core description. This mismatch is dangerous because it can mislead users and reviewers about sensitive behaviors such as charging, balance checks, and data transmission to third parties, increasing the risk of unauthorized payments or unexpected data exposure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements hidden billing/paywall enforcement inside a skill whose declared purpose is football analysis and betting advice. This mismatch is dangerous because it introduces undisclosed monetization behavior, external data transmission, and execution blocking that users and platform operators would not reasonably expect from the manifest.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill derives the billing identity from an environment variable even though the declared function does not justify handling billing identities at all. This creates a confused-deputy risk where an incorrect or attacker-influenced environment value could be charged, and it bypasses normal authenticated user-binding controls.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The docstring claims the function only verifies payment status, but it actually calls charge_user and attempts to debit the user. This deceptive naming and documentation materially increases risk because reviewers, users, and calling code may invoke it believing it is read-only when it performs a financial action.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code transmits billing-related user data to an external service without any visible consent, disclosure, or privacy notice in the skill behavior shown here. In the context of a football-analysis skill, this is more suspicious because users would not reasonably expect their identity to be sent to a third-party billing provider on use.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pandas>=1.5.0
numpy>=1.21.0
Confidence
97% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pandas>=1.5.0
numpy>=1.21.0
Confidence
97% confidence
Finding
pandas>=1.5.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pandas>=1.5.0
numpy>=1.21.0
Confidence
97% confidence
Finding
numpy>=1.21.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
84% confidence
Finding
requests

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
79% confidence
Finding
numpy

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal