odds-api-io
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill uses environment variables or command-line flags for API key management, ensuring no sensitive credentials are hardcoded or stored within the skill files.\n- [SAFE]: Network operations are directed exclusively to the official Odds-API.io service domain (api.odds-api.io) to retrieve sports information, which is consistent with the skill's stated purpose.\n- [SAFE]: The CLI helper script is implemented using standard Python library modules (argparse, json, os, urllib) and does not rely on external dependencies or execute arbitrary system commands.\n- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection as it processes data from an external API. This is considered an inherent risk for this type of skill and is mitigated by the script's limited capabilities.\n
- Ingestion points: Data enters via the
request_jsonfunction inscripts/odds_api.pywhen querying API endpoints.\n - Boundary markers: No specific delimiters are used to wrap the API responses in the output.\n
- Capability inventory: The script is limited to network reads and console output; it cannot write files or execute subprocesses.\n
- Sanitization: API responses are parsed as JSON but not otherwise filtered for instructions.
Audit Metadata