!
Purpose & Capability
The skill's described purpose (live match analyses and pronostics) matches the included code that calls a football data API. However, the code requires RAPIDAPI_KEY (and optionally RAPIDAPI_HOST) from process.env but the skill metadata declares no required environment variables or primary credential. That omission is an incoherence: a skill that fetches live data legitimately needs an API key and should declare it.
ℹ
Instruction Scope
SKILL.md directs the agent to always fetch real data and lists the analysis format and league IDs — this aligns with the code's tools. The SKILL.md does not mention the need for an API key or where data will be fetched from, which leaves important runtime requirements unspecified.
✓
Install Mechanism
No install spec is provided (instruction-only behavior), so nothing will be downloaded or written during install. The only executable behavior is the included JS code which makes outbound HTTP requests at runtime.
!
Credentials
The code reads RAPIDAPI_KEY and RAPIDAPI_HOST from environment variables but the manifest lists no required env vars. Requesting a single API key for the external football-data service would be proportionate — but the key is not declared, documented, or scoped in the manifest, which is a transparency issue and a potential security risk if users supply broad-purpose credentials.
✓
Persistence & Privilege
The skill does not request permanent always:true privilege and does not modify other skills or system-wide settings. Autonomous invocation is enabled by default, which is normal; there is no additional persistence or privilege requested.
Scan Findings in Context
[process.env.RAPIDAPI_KEY (code review)] expected: The skill's code references process.env.RAPIDAPI_KEY and process.env.RAPIDAPI_HOST to authenticate requests to RapidAPI. Requiring an API key is expected for live-data fetches, but the manifest failed to declare this requirement.
[external_endpoint_rapidapi] expected: The code communicates with free-api-live-football-data.p.rapidapi.com (BASE_URL). Outbound calls to this host are expected for the stated functionality, but users should be informed which external service the skill contacts.
What to consider before installing
This skill fetches live football data via RapidAPI but the manifest does not declare the RAPIDAPI_KEY it needs — that's a transparency mismatch. Before installing or supplying credentials: 1) Ask the author to update the skill metadata to declare required env vars (RAPIDAPI_KEY and RAPIDAPI_HOST) and to document what the key is used for. 2) Provide a scoped/dedicated RapidAPI key (not a general-purpose or high-privilege key) and consider using a throwaway/test account. 3) Verify the external host (free-api-live-football-data.p.rapidapi.com) and review the RapidAPI plan/limits and privacy. 4) If you need stronger assurance, run the skill in a controlled environment and monitor outbound traffic to confirm it only contacts the expected API. If the author cannot explain the missing manifest entries, treat the skill with caution or avoid installing it.
