Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Soccer Predict
v1.1.0Football match betting prediction system. Auto-scrapes data from titan007.com (Asian handicap, over/under, European odds, fundamentals, lineups, corners, hal...
⭐ 0· 42·0 current·0 all-time
bySuperluigi@superluigi0309
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (football betting predictions from titan007) align with the instructions: the SKILL.md explains scraping titan007, running a 5-step prediction framework, and producing outputs. No unrelated credentials or external services are requested in metadata.
Instruction Scope
Instructions tell the agent to use browser-based scraping (browser navigate / browser act / browser console exec) and to run JavaScript in the page context to extract data. That is reasonable for scraping, but executing arbitrary JS in a browsed page may access page-local secrets (cookies, localStorage) and could exfiltrate data. The instructions also direct saving model/framework/data across sessions (see persistence), which broadens the skill's runtime footprint beyond a one-off scrape.
Install Mechanism
No install spec and no code files — instruction-only. This is the lowest-risk install model and is consistent with an agent-driven scraping/prediction skill.
Credentials
The skill declares no required environment variables or config paths, which fits its purpose. However, SKILL.md and references explicitly instruct writing persistent files to ~/.claude/projects/*/memory/..., a config path not declared in metadata. The skill requests no secrets, but the combination of in-browser JS and implicit file writes is notable.
Persistence & Privilege
The skill directs the agent to 'save the updated framework and match history to memory files' under ~/.claude/projects/*/memory/... to persist learning across sessions. The metadata did not declare required config paths or warn about persistent file writes. Persisting scraped data and learned parameters to the user's home directory increases long‑term risk (sensitive data retained, larger attack surface) and should be made explicit to users before installation.
What to consider before installing
This skill is coherent with its description, but exercise caution before enabling it. Key points to consider:
- The skill instructs the agent to open titan007 pages and run JavaScript in the page context to extract tables. That can access page cookies/localStorage or other site-local data — only run this if you trust the skill source and understand the site’s data sensitivity and terms of service.
- The SKILL.md tells the agent to persist learned models and match history to files under ~/.claude/projects/*/memory/..., but the registry metadata does not declare these config paths. Confirm where data will be written, review those files, and ensure you are comfortable with persistent storage of scraped data.
- Scraping titan007 may violate that site’s terms or local laws; check legal/ToS implications and betting regulations in your jurisdiction.
- Because the skill can store and reuse historical predictions, review stored content for sensitive or personally identifying data and consider running the skill in a sandboxed environment (isolated user account or container) if you want to limit exposure.
- Avoid providing any unrelated credentials; this skill does not declare needed secrets. If additional env vars or tokens are requested later, treat that as a red flag.
If you decide to proceed: start with a short test in concise mode, monitor network activity and created files, and inspect saved memory files before allowing continued autonomous use.Like a lobster shell, security has layers — review code before you run it.
latestvk972wkvpn8ea5g0p65qby1hqmh84sx7v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.