Skillv1.0.0

ClawScan security

Airdrop Alert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 5:55 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description promises Telegram alerts and CLI interactions, but the shipped code does not implement Telegram or the claimed interfaces and yet the skill requires a TELEGRAM_BOT_TOKEN — these mismatches are suspicious and should be clarified before installing.
Guidance: Do not provide your TELEGRAM_BOT_TOKEN (or any secret) to this skill as-is. The skill's README promises Telegram alerts and CLI commands, but the included Python script only prints mock data and doesn't use Telegram, curl, or any env vars — this mismatch could be an oversight or intentional. Ask the publisher to explain why a Telegram token is required and request source changes: either implement/send code that actually uses the token (and show how it stores/transmits it), or remove the TELEGRAM requirement. If you still want to try it, run the script in a sandboxed environment and inspect/modify the code yourself; avoid granting secrets until the implementation and data flows are clear and justified.

Review Dimensions

Purpose & Capability: concernName/description promise monitoring + Telegram alerts. Declared requirements include TELEGRAM_BOT_TOKEN and curl. The included Python script only prints simulated airdrop data and does not implement Telegram alerts, webhook/curl usage, or the CLI commands described in SKILL.md. Requiring a Telegram token is not justified by the actual code.
Instruction Scope: concernSKILL.md documents CLI commands (/airdrop-hunter new, check, alert) and feature behaviors (alerts, eligibility checks). The runtime code provides mock list_airdrops() and check_eligibility() functions but no CLI entrypoints, no argument parsing, and no code to send alerts to Telegram or any external endpoint. The instructions give the agent broad-sounding responsibilities (alerts, multi-account, automatic tasks) that are not reflected in the code.
Install Mechanism: okNo install spec is provided (instruction-only plus a single Python file). That minimizes installer risk because nothing is pulled from remote URLs or installed automatically. However, the presence of a code file means the script will run locally if invoked.
Credentials: concernThe skill requires TELEGRAM_BOT_TOKEN, but the Python file does not read any environment variables or use Telegram APIs. Asking for a secret credential that the code doesn't use is disproportionate and could be an attempt to collect a token or reflects sloppy/unfinished coding.
Persistence & Privilege: okalways is false and the skill does not request any elevated or persistent system privileges. It does not modify other skills or system-wide settings in the provided materials.