ClawHub

Leetify

v1.0.4

Get CS2 player statistics, match analysis, and gameplay insights from Leetify API. Supports player comparison and season stats. Use for stat queries and demo...

0· 536·0 current·0 all-time
byDamir Armanov@damirikys
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Leetify CS2 stats & match analysis) align with the code and instructions. The skill only asks for LEETIFY_API_KEY and tools needed to fetch/parse demos (python3, bash, bunzip2, gunzip). Pip packages referenced in SKILL.md (requests, demoparser2) are appropriate for network calls and demo parsing. All network calls point to Leetify's public API domain shown in the SKILL.md.
Instruction Scope
SKILL.md and the scripts instruct the agent to call local scripts, query Leetify API endpoints, download demo replay files, decompress them, parse them with demoparser2, and cache results under local matches/ and data/steam_ids.json. These actions are consistent with the stated purpose. Two items to note: (1) analyze_last_demo.py's fetch_matches uses urllib without an Authorization header (other scripts do use LEETIFY_API_KEY) — this looks like a bug or indicates the endpoint may be public; (2) the skill downloads and parses remote demo files (replay_url) — that can use disk, CPU, and memory and fetch arbitrary remote content returned by Leetify. Neither is inherently malicious but are operational considerations.
Install Mechanism
This is instruction-only (no automated installer). The SKILL.md lists pip dependencies but there is no install script that automatically fetches code from untrusted URLs. The runtime requirements (bunzip2/gunzip) are only needed to decompress demo archives. No high-risk install patterns (like downloading/extracting archives from unknown shorteners) were found.
Credentials
Only LEETIFY_API_KEY is required. That is proportionate: the scripts send this key to the Leetify API when making authenticated requests. No unrelated secrets or system credentials are requested. The scripts do read/write a local JSON file (data/steam_ids.json) for mappings, which is expected for this functionality.
Persistence & Privilege
The skill does not request always:true and will not be force-included. It does not attempt to modify other skills or system-wide settings. It does create and write to local storage data/steam_ids.json and a matches cache directory (local to the skill), which is normal for this use case.
Scan Findings in Context
[unicode-control-chars] unexpected: The static pre-scan flagged invisible unicode control characters in SKILL.md. This is not required for the skill's functionality and can be used in prompt-injection attacks or to obscure content. Inspect SKILL.md for unexpected invisible characters before trusting it.
Assessment
This skill appears to do what it says: query Leetify with LEETIFY_API_KEY, fetch match/demo data, and parse it locally. Before installing, consider: - Protect your API key: only provide a Leetify key with the minimum scope needed and avoid sharing any other secrets. - The skill will download demo files provided by the API and decompress/parse them locally (can be large and memory-intensive). Run in a sandbox or environment with limited disk and memory if you are concerned. - The scripts store mappings in data/steam_ids.json and cache parsed matches under a relative matches/ path; these are written to the agent's filesystem. Back up or inspect that file if you rely on it. - The pre-scan found unicode control characters in SKILL.md — inspect the SKILL.md for invisible characters to ensure there is no hidden or misleading content. - Note a minor implementation oddity: one demo-fetch function (analyze_last_demo.py) constructs some API requests without an Authorization header while other scripts do use LEETIFY_API_KEY. Expect occasional errors or public vs authenticated endpoint differences; you may want to audit those calls. If you trust Leetify and are comfortable with local demo parsing and caching, the skill is coherent and reasonable to install; otherwise run it in a restricted environment or request a cleaned review of SKILL.md and the small implementation issues first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ehy7b1me77nz8tsc02xyh2n81g0g8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3, bash, bunzip2, gunzip
EnvLEETIFY_API_KEY

Comments