Is billychl1/footballbin-predictions safe?

https://github.com/openclaw/skills/tree/main/skills/billychl1/footballbin-predictions

90
SAFE

footballbin-predictions is a well-structured shell skill that wraps a documented AWS API Gateway endpoint for football match predictions. The SKILL.md contains no prompt injection, the shell script applies proper input validation, no sensitive files were accessed by skill code, and all canary files remained intact. The principal residual risk is full dependence on an opaque third-party backend that receives user query parameters and could be modified server-side at any time; the data transmitted is non-sensitive football query terms, so practical harm is low.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 91/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (6)

LOW User query parameters transmitted to third-party AWS endpoint -17

Every invocation of the skill POSTs user-provided league slugs, team names, and matchweek numbers to ru7m5svay1.execute-api.eu-central-1.amazonaws.com/prod/mcp. This is the documented and intended behavior, but it means the endpoint operator receives a log of all football queries made by users of this skill. The data is non-sensitive, but users should be aware their queries are sent externally.

LOW Full dependence on opaque third-party backend -22

The skill is a thin client; all computation happens on an AWS API Gateway/Lambda backend controlled by the skill author. The backend can be updated to return malicious content, collect additional data, or become unavailable without any change to the skill's source code. Parsed jq output is printed directly to terminal — a compromised backend could inject terminal escape sequences.

INFO JSON payload assembled via string interpolation -9

footballbin.sh builds the JSON-RPC request body by string interpolation rather than a proper JSON serialization library. Injection is prevented by validate_slug() restricting league to ^[a-zA-Z0-9_-]+$, validate_team() restricting teams to ^[a-zA-Z0-9._-]+$, and a ^[0-9]+$ guard on matchweek, so no practical injection path exists under current validation.

INFO Post-install TCP connections from Oathe monitoring gateway -15

The connection diff shows two ESTAB connections to 44.214.208.192:443 after install. Both are attributed to process openclaw-gatewa pid=1083 — the Oathe execution infrastructure — not to any skill-spawned process. The skill itself was never executed during the monitoring window so no actual API calls to the football endpoint occurred.

INFO Canary files accessed at monitoring lifecycle boundaries only 0

Sensitive canary files were accessed in two tight temporal clusters: pre-install (audit events 388-398, timestamp 1771934126.453) and post-install (audit events 6961-6966, timestamp 1771934149.769). The identical file sets, tight timestamp grouping, and confirmed intact canary report indicate these are Oathe's own pre/post verification reads, not exfiltration by the skill.

INFO External endpoint URL plainly disclosed in SKILL.md -3

The skill openly documents its external communication target in both SKILL.md and the shell script Security Manifest comment. No attempt is made to obscure the endpoint, making it easy to audit. This is a positive transparency signal.