Crypto Levels Analyzer
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: crypto-levels Version: 1.0.3 The OpenClaw AgentSkills skill bundle 'crypto-levels' is classified as benign. The primary script, `scripts/analyze_levels.py`, legitimately uses the `requests` library to fetch cryptocurrency data from well-known public APIs (CoinGecko, Binance, CoinMarketCap), which is essential for its stated purpose. All Python scripts write temporary analysis results to `/tmp/` for debugging or output, a common and low-risk practice. The `SKILL.md` and other documentation files provide clear instructions and disclaimers without any evidence of prompt injection attempts or instructions for malicious actions. There are no indications of data exfiltration, unauthorized execution, persistence mechanisms, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the command-line modes may run code from the skill package on the user’s machine.
The documentation includes user-directed commands for running local Python scripts. This is expected for the skill’s analysis function, but it means installation/use may involve local code execution.
python3 scripts/analyze_quick.py SOL 177.70 2.31 60
Run the scripts only from the installed skill directory, avoid elevated privileges, and review local scripts if you plan to use command-line modes.
If a user supplies an over-permissioned API key, misuse of that key could affect the associated provider or exchange account.
The skill supports optional market-data provider API keys. This is purpose-aligned, but exchange/provider credentials should be scoped because some services can issue keys with broader account privileges.
export COINGECKO_API_KEY="your_key" export COINMARKETCAP_API_KEY="your_key" export BINANCE_API_KEY="your_key"
Use read-only or market-data-only keys where possible, never enable trading or withdrawal permissions for this skill, prefer environment variables, and apply IP restrictions if supported.
A local record of the analysis may remain on the machine after use.
Quick-mode analysis is documented as writing results to a local temporary JSON file. The content appears low sensitivity, but it is still a persistent local artifact.
分析结果会自动保存到 `/tmp/crypto_analysis_quick.json`
Delete the temporary file if you do not want analysis results left on disk, especially on shared systems.