fix(billychl1/footballbin-predictions): use jq for safe JSON construction

[billychl1]

Summary

Fixes a JSON injection vulnerability in scripts/footballbin.sh for the footballbin-predictions skill.

Problem

User-supplied inputs (league, home_team, away_team) were directly interpolated into a JSON string via bash string concatenation:

# Before (vulnerable):
args="{\"league\":\"$league\""
args="$args,\"home_team\":\"$home_team\""

A malicious input like --home 'x","injected":"y' could break the JSON structure and inject arbitrary fields into the MCP API call.

Fix

Use jq (already declared as a required dependency in SKILL.md) to construct JSON safely with proper escaping:

# After (safe):
args=$(jq -n \
    --arg league "$league" \
    --arg home "$home_team" \
    --arg away "$away_team" \
    '{league: $league} +
     (if $home != "" then {home_team: $home} else {} end) +
     (if $away != "" then {away_team: $away} else {} end)')

This ensures all user input is properly escaped by jq before being included in the JSON payload.

[openclaw-barnacle]

Thanks for the pull request! This repository is read-only and is automatically synced from https://clawhub.ai, so we can’t accept changes here. Please make updates on the website instead.