Dota2-Stats-Skill
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When used, the agent may run the bundled script and send Dota player names, account IDs, match IDs, or filters to OpenDota to fetch results.
The skill directs the agent to run a local Python CLI and make OpenDota API requests. This is expected for a Dota 2 stats skill, but users should know their query terms and IDs are sent to the external API.
python ~/.openclaw/plugin-skills/dota2-stats-skill/scripts/dota2_query.py <command> [args] ... needs network access to `https://api.opendota.com/api`
Install only if you are comfortable with OpenDota lookups. For actions like `refresh <id>` or broad/slow searches, make sure the query matches what you intended.
Users have less external provenance information to verify who maintains the skill or where updates come from.
The registry metadata does not provide an upstream source or homepage, and there is no install spec. This is not evidence of malicious behavior, but it reduces provenance clarity for users reviewing the package.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill.
Review the included files before installation and prefer installing from a trusted publisher or source when available.