Back to skill

Security audit

足球赛事数据 (Football Match Data)

Security checks across malware telemetry and agentic risk

Overview

This paid football-data skill also contains betting-recommendation workflows, local payment/order storage, and exposed credentials, so it needs careful review before installation.

Install only if you are comfortable with a paid sports-betting analysis tool, not just a neutral match-data reporter. Review the ClawTip payment flow, local order storage, and network calls first, and avoid using it in an environment with sensitive credentials. The exposed account/API secrets should be removed and rotated by the publisher before broad distribution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (49)

Tainted flow: 'key' from os.environ.get (line 339, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
import requests as req
            key = os.environ.get("ODDS_API_KEY", "5c66070b83e62dba82836a4d06c62abe")
            sport_key = SPORT_KEYS[league]
            resp = req.get(f"https://api.the-odds-api.com/v4/sports/{sport_key}/odds/",
                            params={"apiKey": key, "regions": "uk,us,eu", "markets": "h2h", "oddsFormat": "decimal"}, timeout=8)
            r["api_credits"] = int(resp.headers.get("x-requests-remaining", 0))
            # Match home/away teams to find Pinnacle odds
Confidence
96% confidence
Finding
resp = req.get(f"https://api.the-odds-api.com/v4/sports/{sport_key}/odds/", params={"apiKey": key, "regions": "uk,us,eu", "markets": "h2h", "oddsFormat": "decim

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares only limited permissions in metadata, but the documented workflow clearly invokes shell commands, reads and writes local order files, accesses credentials, and performs outbound network activity. This mismatch weakens sandboxing and user trust because reviewers may approve a skill under an incomplete understanding of what it can access and do.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose presents the skill as a simple public-data aggregation tool, but the analysis indicates broader behavior including payment handling, credential-gated execution, local state/ledger storage, betting-oriented modeling, and expanded data collection. This description-behavior gap is dangerous because it can mislead users and reviewers into granting permissions or trust they would not give if the full functionality were disclosed.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file materially conflicts with the skill's declared purpose as a football data/reporting tool and instead documents a betting analysis and recommendation system that selects 'high-confidence' matches. This is dangerous because it conceals the true capability of the skill, undermines user trust, and can bypass platform or policy controls that would apply to gambling-oriented functionality.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented APIs and outputs include prescriptive verdicts, readiness gates, confidence scoring, and recommendation logic rather than mere collection and normalization of match data. In context, this expands the skill from passive reporting into actionable betting decision support while still being presented as a data tool, increasing the risk of deceptive deployment and policy evasion.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Branding the file as a 'Dark Market System' centered on betting recommendations conflicts with the published identity of the skill as a football match data tool. Such identity mismatch is a security and trust issue because reviewers and users may grant permissions or rely on assurances that do not match the actual system behavior.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The README materially misrepresents the skill’s purpose: the metadata describes benign football data aggregation/reporting, while the file documents a betting-analysis CLI with prediction, value-bet identification, bankroll management, and backtesting. This mismatch can bypass review controls, mislead users into invoking higher-risk gambling functionality, and obscure policy-relevant behavior during distribution or approval.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The disclaimer says the tool does not include automatic betting, but the documented commands still provide bet recommendation, edge/EV screening, Kelly stake sizing, and bankroll tracking. Even without one-click execution, this framing can downplay the operational gambling support the tool provides and may cause users or reviewers to underestimate its real-world risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The state file contains operational account credentials and contact details that are unrelated to football data processing. Storing publishing/login information in a skill state artifact creates a direct secret-exposure risk and broadens compromise scope far beyond the advertised functionality.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file embeds a skill publication command, account name, waiting schedule, and personal contact information that are not necessary for match-data reporting. This leaks operational metadata that can aid account targeting, social engineering, or unauthorized publication actions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest describes a data/reporting tool, but the state includes paid delivery and order-processing components, indicating hidden capabilities not clearly disclosed to users. This mismatch increases the risk of unexpected financial workflows, data handling, and trust-boundary violations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The state defines mandatory payment-gated behavior and automatic service execution after payment that is not reflected in the manifest. Hidden transactional behavior can trigger actions users did not clearly authorize and obscures the skill's true operational scope.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script creates and persists payment order metadata, including payee details and encrypted payment payloads, while the skill is presented primarily as a football data/reporting tool. That mismatch is security-relevant because users and reviewers may not expect billing/order creation behavior, increasing the risk of deceptive monetization or hidden payment flows.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The fallback path does not encrypt data at all; it merely Base64-encodes plaintext while the function claims to provide SM4 encryption. This creates a false sense of confidentiality and can expose order details and payment routing information anywhere the stored or transmitted payload is accessible.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The code’s behavior materially diverges from the declared football-data skill purpose: it creates a per-skill directory under the user’s home folder and reads/writes local order JSON files. This kind of undeclared local persistence is risky because users invoking a sports-data skill would not reasonably expect filesystem-side order tracking, making the capability misleading and increasing the chance of covert data storage or abuse in a broader agent workflow.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module/docstrings describe a shared order-file utility unrelated to football match data collection, which reinforces that the file is serving an undeclared purpose. Misleading documentation combined with off-scope storage logic weakens auditability and trust, and can conceal capabilities that operators and users did not approve.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A hardcoded Odds API key is embedded in the script and used for network access, which is improper secret management. Anyone with access to the code can reuse the key, exhaust quota, incur cost, or impersonate the service's usage against the third-party API.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The module docstring advertises a value-betting analysis, odds/handicap signal, and backtesting tool, while the manifest presents the skill as a neutral football data aggregation and reporting utility. This mismatch is dangerous because users, reviewers, or platform operators may grant the skill access or trust under a lower-risk description while the codebase signals gambling-oriented functionality that may raise compliance, policy, and misuse concerns.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest claims a multi-source football data cleaning/reporting tool, but the code documentation describes probability prediction, betting signal generation, and backtesting. This discrepancy can conceal the real purpose of the skill, undermining informed consent and security review, and in this context makes the skill more dangerous because sports-betting functionality is materially different from simple data normalization and may violate platform, legal, or organizational controls.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code emits explicit betting recommendations such as what side to take, whether to avoid a side, and confidence levels, which goes beyond neutral sports data normalization. In the context of a data-analysis skill marketed as standardized football data reporting, this creates undisclosed gambling-advice behavior and can materially influence user financial decisions based on opaque, heuristic logic.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The module documentation presents the component as analysis of bookmaker behavior, but the implementation includes direct action-oriented guidance ('what WE should do'). This mismatch is dangerous because it can mislead reviewers, downstream integrators, or users about the true function of the skill, reducing oversight of gambling-advice behavior.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module advertises strict blocking ('缺一步都不输出', 'Results blocked until all gates pass'), but `run_full_pipeline()` still returns partially populated `MatchData` after only logging missing requirements. In a betting/data-analysis workflow, this integrity gap can cause downstream components or operators to treat incomplete or unverified data as approved, undermining safety controls and producing misleading decisions.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comments and top-level contract say cross-source verification and Betfair validation are required, but the implementation makes Betfair optional and marks key checks as complete without actual verification (`ah_verified = True`, `auto_signals = True`). This creates a trust-boundary failure where operators may rely on 'verified' outputs that skipped the very controls meant to detect bad or manipulated match data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest presents the skill as a football data cleaning/reporting tool, but the CLI explicitly implements betting analysis, value betting, backtesting, and wager-oriented workflows. This capability mismatch undermines informed consent and can bypass policy or user review gates that would apply to gambling-oriented tools.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The `value` command generates concrete betting picks, confidence labels, Kelly-based bankroll guidance, and profit/loss framing, which goes well beyond neutral match-data reporting. In the context of a mislabeled data tool, this increases the risk of unapproved gambling advice and user harm from acting on concealed wagering recommendations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.