ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Betting Research

v1.0.0

Multi-source sports betting research tool. Aggregates odds, team form, head-to-head history, weather conditions, and injury data to identify value betting op...

0· 49·0 current·0 all-time
by@stigg86
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (betting research) aligns with the included Python script and referenced APIs. However metadata claims no required binaries or env vars while the script reads APIFOOTBALL_KEY / ODDS_API_KEY environment variables (as fallbacks) and expects config files under ~/.config. More importantly, the script attempts to run a Node-based helper at ~/.openclaw/workspace/skills/search-x/scripts/search.js, but the skill does not declare a dependency on that other skill or on the 'node' binary. Requiring execution of another skill's script without declaring it is an incoherence.
!
Instruction Scope
SKILL.md instructions are generally limited to running the included Python script and storing API keys in ~/.config paths — those are appropriate. The runtime code however will attempt to execute a local Node script from a different skill path (~/.openclaw/.../search-x/scripts/search.js) via subprocess.run to fetch X/Twitter results; this expands the execution scope to run potentially arbitrary code from the workspace and is not documented as a dependency in SKILL.md. The script also reads files in ~/.config and the workspace, which SKILL.md partially documents for API keys but not for cross-skill execution.
Install Mechanism
No install spec is provided (instruction-only with an included script). Nothing is downloaded or extracted by the skill itself, which lowers installation risk.
Credentials
The skill asks for API keys for API-Football and The Odds API — these are proportional to its functionality. It suggests storing them in ~/.config/api-football/config.json and ~/.config/the-odds-api/key, and the script will also accept APIFOOTBALL_KEY and ODDS_API_KEY environment variables. The metadata declared no required env vars which is arguably misleading but not dangerous. No unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent privileges. It does not modify other skills' configs; it only reads files from the user's home directory and workspace when run.
What to consider before installing
This skill appears to implement what it claims (aggregating sports APIs), but take these precautions before running or installing: 1) Review the included scripts yourself — the Python code will try to execute a Node script at ~/.openclaw/workspace/skills/search-x/scripts/search.js if present. That means it can run code from other skills/workspace entries; verify that search-x (and any Node code) is trustworthy or remove/disable those calls. 2) The skill expects API keys in ~/.config or as env vars (APIFOOTBALL_KEY, ODDS_API_KEY); keep secrets in a safe place and avoid world-readable files. 3) If you don't want cross-skill execution, either ensure 'search-x' isn't installed or edit the Python script to remove the subprocess/node calls. 4) Ensure you have (or intentionally install) node if you want the X/Twitter lookups to work; the skill doesn't declare node as a required binary. If you want me to, I can summarize exactly where the script executes external binaries and produce a patch to disable those calls.

Like a lobster shell, security has layers — review code before you run it.

latestvk97407kh3fwxv1wxftqqn0v9r183sasb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments