Yahoo Fantasy Baseball
v0.1.14Manage your Yahoo Fantasy Baseball team: view roster, standings, matchups, free agents, draft results, transactions, and injuries. Daily roster optimization...
⭐ 0· 323·0 current·0 all-time
byKevin Haney@khaney64
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: the skill uses yahoo-fantasy-api and yahoo_oauth to access Yahoo Fantasy, and the mlb stats API for lineup/schedule data. No unrelated credentials, endpoints, or binaries are requested.
Instruction Scope
SKILL.md and code instruct running CLI commands, performing OAuth, and (optionally) making roster changes (add/drop/swap/claim). The instructions require interactive entry of Consumer Key/Secret and open a browser for OAuth. The skill stores tokens and config in ~/.openclaw/credentials/yahoo-fantasy/ — this is expected but important to note because the tokens grant API access.
Install Mechanism
No external arbitrary downloads; the entry script bootstraps a local .deps virtualenv and runs pip install -r requirements.txt (yahoo_fantasy_api). This writes files to the skill directory and is a standard Python install approach; risk is moderate but proportional to the task.
Credentials
The skill does not request environment variables or unrelated secrets. It requires OAuth consumer key/secret which are supplied interactively and stored in oauth2.json in the user's home credential directory — appropriate for this integration but stored in plaintext JSON locally.
Persistence & Privilege
always:false (normal). The skill creates a local .deps venv in the skill directory and writes credentials/config under ~/.openclaw/credentials/yahoo-fantasy/. It does not modify other skills or system-wide settings, but the stored OAuth tokens allow the skill to act on your Yahoo account (including roster writes when you use the confirm flags).
Assessment
This skill appears to do what it says: it will create a local Python venv (.deps) and pip-install yahoo_fantasy_api, and it requires you to create a Yahoo developer app and run an interactive OAuth flow. Notes to consider before installing:
- Credentials storage: OAuth consumer key/secret and access/refresh tokens are saved as plain JSON under ~/.openclaw/credentials/yahoo-fantasy/oauth2.json. Treat that file like any credential — revoke tokens in your Yahoo account if you stop using the skill.
- Write capability: The tool can perform roster changes (add/drop/claim/swap). Those actions require explicit --confirm flags from the CLI, but if you allow agent autonomy, a malicious or buggy agent could issue writes. Only enable autonomous use if you trust the agent and this skill.
- Dependency install: The script bootstraps a local venv and installs packages from PyPI (yahoo_fantasy_api). If you need higher assurance, review the yahoo_fantasy_api package source before installing.
- Network endpoints: The code talks only to Yahoo/Fantasy and the official MLB stats API (statsapi.mlb.com). No hidden third-party endpoints were found.
If you want extra caution: (1) create a dedicated Yahoo developer app you can revoke, (2) run the code in an isolated environment, and (3) inspect oauth2.json contents after auth so you know what tokens are stored.Like a lobster shell, security has layers — review code before you run it.
latestvk97a7hsd00j88nyks5z40zww8d847jaf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚾ Clawdis
Binspython3