Dota2-Stats-Skill
PassAudited by ClawScan on May 7, 2026.
Overview
This appears to be a normal Dota 2 stats tool that runs a local Python script and contacts the public OpenDota API, with minor review notes about network use and limited provenance metadata.
This skill looks purpose-aligned for Dota 2/OpenDota lookups. Before installing, be aware it runs a bundled Python script, needs outbound access to OpenDota, and has limited source metadata; avoid using it for private identifiers you do not want sent to that API.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When used, the agent may run the bundled script and send Dota player names, account IDs, match IDs, or filters to OpenDota to fetch results.
The skill directs the agent to run a local Python CLI and make OpenDota API requests. This is expected for a Dota 2 stats skill, but users should know their query terms and IDs are sent to the external API.
python ~/.openclaw/plugin-skills/dota2-stats-skill/scripts/dota2_query.py <command> [args] ... needs network access to `https://api.opendota.com/api`
Install only if you are comfortable with OpenDota lookups. For actions like `refresh <id>` or broad/slow searches, make sure the query matches what you intended.
Users have less external provenance information to verify who maintains the skill or where updates come from.
The registry metadata does not provide an upstream source or homepage, and there is no install spec. This is not evidence of malicious behavior, but it reduces provenance clarity for users reviewing the package.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill.
Review the included files before installation and prefer installing from a trusted publisher or source when available.