Picks

College-football pick'em for Convoro. Sync the FBS schedule from collegefootballdata.com, pick the winner of every game each week, and climb a live leaderboard with weekly, season...

College-football pick'em for Convoro. Sync the FBS schedule from collegefootballdata.com, pick the winner of every game each week, and climb a live leaderboard with weekly, season and all-time standings — auto-scored from real results, with optional confidence points.

AI security review

✓

Reviewed safe · 94/100

A college-football pick'em extension that uses standard Laravel patterns with proper permission checks on all admin/manage actions, parameterized queries via Eloquent/query builder, and output escaping. External HTTP calls go only to the documented collegefootballdata.com and ESPN APIs; no obfuscation, eval, dynamic includes, or exfiltration.

low · Admin-supplied logo URL rendered in img src — In Manage.php and Extension::logo(), team logo_path (set by admins via /api/ext/picks/teams/{team}) is escaped with htmlspecialchars and placed in an img src. Escaping prevents attribute breakout, but an admin could set a javascript:/data: or arbitrary external URL; impact is limited to manage-permission users and is not a meaningful injection risk.
low · ESPN/CFBD endpoints are hardcoded; no user-controlled URL fetch — Sync.php fetches only fixed CFBD/ESPN hosts; params are bounded values (year, week, conference filter). No user-supplied URL is fetched, so SSRF exposure is minimal. Noted only for completeness.
low · Reset/seed tools delete all picks data — TestData::wipe()/seed() in src/Service/TestData.php destructively delete all extension tables, but both endpoints are gated by abort_unless(self::canManage(),403) and require confirmation client-side. Expected admin functionality, not a vulnerability.

Automated review of v1.0.0 by claude-opus-4-8 1 week ago. This is an automated signal to aid your judgment — not a guarantee.