Back to skill
Skillv1.0.0
ClawScan security
Soccer Lottery · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 3:23 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required configuration are coherent with a football-match analysis / betting-recommendation tool; it asks for a match-data API key via a local config file and otherwise performs expected data fetch and analysis steps.
- Guidance
- This skill appears to do what it claims, but consider the following before installing: (1) Source is listed as unknown/no homepage — review the code yourself or run it in a sandbox before granting access. (2) You will need to install Python dependencies from requirements.txt (pip install -r requirements.txt) for full functionality; the skill does not include an automated installer. (3) The tool expects you to provide a football-data.org API key in a local config.yaml — only provide API keys you are comfortable storing in a file on the host, and avoid reusing sensitive credentials. (4) If no API key is provided, the SKILL.md mentions web scraping fallback: expect network activity from WebFetch/WebSearch in that mode. (5) RapidAPI integrations for odds/injuries are noted but unimplemented, so no hidden third-party endpoints are being called by the provided code. (6) If you are unsure about trust, run the scripts in an isolated environment (VM/container) or inspect the repository source before configuring the skill.
Review Dimensions
- Purpose & Capability
- okName and description (football match/odds analysis and predictions) align with the included Python scripts and SKILL.md. The code fetches match/H2H data from football-data.org and runs a simple analysis model in analyzer.py — capabilities requested (API key in config.yaml) are proportionate to the stated purpose.
- Instruction Scope
- okSKILL.md directs the agent to check Python dependencies and a config.yaml API key, call the provided scripts for fetching and analysis, and fall back to WebSearch/WebFetch if no API key is present. The instructions reference only the skill directory and config.yaml; they do not ask the agent to read unrelated system files or exfiltrate data. The fallback to web scraping means the agent may perform broader web requests if configured that way, which is expected for this type of skill.
- Install Mechanism
- noteRegistry metadata listed 'no install spec' (instruction-only), but the repository contains Python scripts and a requirements.txt. Dependencies must be installed (pip install -r requirements.txt) for the code to run; the skill itself does not declare an automated install step. This is not malicious but is an operational mismatch the user should be aware of (manual dependency installation or platform support required).
- Credentials
- okNo environment variables or unrelated credentials are requested. The code expects a local config.yaml with a football-data.org API key (or will return an error and note that RapidAPI integrations are not implemented). Requesting a match-data API key is proportional to the stated functionality.
- Persistence & Privilege
- okSkill flags are default: not always-included and model invocation allowed. The skill does not request persistent platform privileges or attempt to modify other skills or system settings. It only reads/writes its own config file in the skill directory.