ClawHub

Haizei Worldcup 2026 Skill (2026年美加墨足球世界杯Skill)

Security checks across malware telemetry and agentic risk

Overview

This World Cup data skill mostly matches its stated purpose, but it includes betting-odds workflows and deliberate anti-scraping User-Agent rotation that warrant review before installation.

Install only if you are comfortable with a skill that scrapes third-party sports and lottery sites, reports betting odds, and uses rotating browser/mobile identities for requests. Treat odds as informational only, not betting or financial advice, and consider local law, age restrictions, and site terms before using the betting-related commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill advertises very broad trigger phrases such as generic everyday sports, prediction, and betting-related queries without clear boundaries, which can cause the agent to invoke this skill in situations where the user did not explicitly request World Cup-specific data or gambling-related content. Over-broad activation increases the chance of misrouting, unintended data retrieval, and surfacing betting odds in contexts involving minors, unsafe gambling assistance, or irrelevant conversations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides gambling-adjacent functionality by exposing betting odds and betting market types, but it does not include user-facing warnings, age/jurisdiction limitations, or guidance against using the information as betting advice. In practice, this can normalize or facilitate wagering behavior and may lead the agent to assist with regulated gambling content without appropriate safeguards.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly recommends rotating real mobile User-Agent strings to reduce bot detection risk and bypass platform protections that block non-mobile access. This is dangerous because it normalizes evasive scraping behavior against an access-control or anti-automation layer, increasing the chance that users or downstream agents will violate site restrictions or trigger defensive responses.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This workflow explicitly helps users interpret and act on official betting odds, including prompts like '能买吗/盘口怎么走' and implied probability calculations, but it provides no warning that the information is gambling-related and should not be treated as betting or financial advice. In a consumer-facing skill, that omission can encourage risky wagering behavior and create compliance, user-safety, and jurisdictional issues, especially because the skill operationalizes betting decisions rather than merely reporting neutral sports data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file explicitly defines a pool of rotating real-browser User-Agent strings and comments state the purpose is to avoid triggering anti-scraping defenses. In the context of a scraping skill that targets third-party sports and betting sites, this is a deliberate stealth mechanism that can facilitate bypassing bot-detection controls and conceal automated collection from operators and users.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal