ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sports Ticker

v3.2.0

Live sports alerts for Soccer, NFL, NBA, NHL, MLB, F1 and more. Real-time scoring with FREE ESPN API. Track any team from any major league worldwide.

2· 5k·8 current·8 all-time
byRobby@robbyczgw-cla
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (live sports via ESPN) align with the code's main behavior (espn.py, ticker/live_monitor/schedule). However SKILL.md and metadata state "No API keys needed," yet code includes optional web-search fallbacks that use BRAVE_SEARCH_API_KEY / SERPER_API_KEY and logic to read other skill .env files — those capabilities are not described and are disproportionate to the stated purpose.
!
Instruction Scope
Runtime instructions in SKILL.md direct running the provided scripts only (setup, ticker, live_monitor, auto_setup_crons). The problem is the scripts themselves do more than the doc states: live_monitor.py will attempt web-search fallbacks that make outbound requests to Brave/Serper APIs and will attempt to read API keys from the environment and from other skill directories on disk. SKILL.md does not disclose this filesystem access or optional external APIs.
Install Mechanism
No install spec (instruction-only + included Python scripts). Nothing is downloaded from arbitrary URLs or installed automatically; scripts run from the skill directory which reduces install-time risk.
!
Credentials
Declared requirements list no env vars, but scripts optionally read BRAVE_SEARCH_API_KEY and SERPER_API_KEY and even attempt to read .env files from sibling skill paths (e.g., web-search-plus). Reading other skills' .env files and consulting HOME/clawd paths expands the credential footprint unexpectedly and can surface keys not intended for this skill.
Persistence & Privilege
The skill does not request permanent platform privileges (always:false). It writes cache (.score_cache.json) and state (.live_state.json) files into the skill directory — expected for this kind of tool. It outputs cron JSON for the platform to use but does not itself create system crons.
Scan Findings in Context
[reads-BRAVE_SEARCH_API_KEY] unexpected: live_monitor._web_search_live() will read BRAVE_SEARCH_API_KEY from environment to call Brave's search API as a fallback. The SKILL.md claims no API keys necessary; this optional key usage is not documented and broadens external data flows.
[reads-SERPER_API_KEY-or-dotenv] unexpected: live_monitor._web_search_live() will read SERPER_API_KEY from environment and also attempts to read .env files from paths outside the skill (web-search-plus .env and HOME/clawd/skills/web-search-plus/.env). Attempting to read other skill .env files is disproportionate and could leak or reuse credentials unintentionally.
[calls-external-search-apis] expected: Calling external search APIs (Brave/Serper) is expected for the web-search fallback, but only if the user knowingly provides keys. The ESPN API calls are expected and are the primary data source.
[writes-local-cache-and-state] expected: Scripts persist .score_cache.json and .live_state.json in the skill dir to track seen events — this is consistent with the skill's stated behavior.
What to consider before installing
This skill appears to implement a legitimate sports ticker using ESPN's public API and includes utilities to generate cron jobs. However, the code contains an undocumented web-search fallback that will: (1) attempt outbound calls to Brave or Serper search APIs if API keys are present; (2) try to locate SERPER_API_KEY in other skill .env files on disk (e.g., a sibling web-search-plus directory) and read BRAVE_SEARCH_API_KEY from the environment. Before installing or running: - If you do not want any credentials reused or exposed, ensure BRAVE_SEARCH_API_KEY and SERPER_API_KEY are not set in your environment and remove/secure any web-search-plus .env files in shared skill folders. - Review and, if desired, remove or sandbox the web-search fallback code (live_monitor._web_search_live and its _try_serper/_try_brave helpers) so the skill only contacts ESPN. - Be aware the skill will write .score_cache.json and .live_state.json into the skill directory. If you run in a shared environment, run the skill in a container or isolated user profile. - If you plan to provide a search API key, only provide it if you trust the skill source and are comfortable that fallback search results may be sent to third-party search providers. If you want greater assurance, ask the publisher to: update SKILL.md to declare optional environment variables and the local .env lookup behavior, or remove the cross-skill .env search. If you can share the skill's origin or repository URL, that would increase confidence; lacking that, treat the cross-skill .env reading as a moderate privacy/credential risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk973b9v8202drjkq1n9ry8hktd83pzs3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments