Back to skill
Skillv1.7.0
ClawScan security
0xArchive · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 18, 2026, 12:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions match its stated purpose (querying 0xArchive via curl using a single API key); nothing requested or instructed appears unrelated or excessive.
- Guidance
- This skill will send your OXARCHIVE_API_KEY in an x-api-key header to api.0xarchive.io when it runs — that's required for it to work. Before installing: ensure the API key has the minimum necessary permissions and billing limits you expect, avoid reusing high-value keys (e.g., AWS/GCP keys), and confirm you trust 0xArchive as the recipient. Because this is instruction-only, review SKILL.md (already provided) to confirm it only runs curl and doesn't perform other actions. If you expect HIP‑3 or Pro+ data, verify your subscription level with 0xArchive; endpoints for user liquidations or order history may require additional access and can return user-addressed data if you supply addresses.
Review Dimensions
- Purpose & Capability
- okName/description (historical crypto data from 0xArchive) align with the single required credential (OXARCHIVE_API_KEY) and the documented endpoints. No unrelated credentials, binaries, or paths are requested.
- Instruction Scope
- okSKILL.md instructs use of curl to call api.0xarchive.io and to read $OXARCHIVE_API_KEY. Endpoints and timestamp helpers are narrowly focused on market data. The instructions do not ask the agent to read unrelated files, extra environment variables, or to exfiltrate data to unexpected endpoints.
- Install Mechanism
- okNo install spec or code is shipped (instruction-only). That minimizes on-disk execution and is proportionate to a curl-based API integration.
- Credentials
- okOnly OXARCHIVE_API_KEY is required and declared as primaryEnv. This is proportionate for an API-based data skill. No other secret or unrelated environment access is requested.
- Persistence & Privilege
- okalways:false and normal autonomous invocation settings are used. The skill does not request persistent system-wide privileges or modifications to other skills.