Back to skill
Skillv1.0.2
ClawScan security
Whale Watcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 6, 2026, 5:13 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's description promises Telegram alerts and API-key configuration, but the code and declared requirements don't line up — required env/binaries are unnecessary or missing and the runtime behavior is more limited than advertised.
- Guidance
- This skill is inconsistent: docs promise Telegram alerts, CLI commands, and use of user API keys, but the included Python script only prints to stdout and uses a default Etherscan key. Before installing or providing secrets, ask the author to: 1) explain why TELEGRAM_BOT_TOKEN is listed as required and provide code that actually uses it (or remove it from requirements); 2) either make ETHERSCAN_API_KEY/BSCSCAN_API_KEY required in the manifest and read them from env, or remove references from docs; 3) supply or document the CLI / integration layer that implements the /whale-watcher commands and Telegram delivery. If you must test locally, run the Python script in a confined environment and do not expose real API keys or tokens until the above is clarified. The current mismatches are most likely sloppy packaging, but they could hide unexpected behavior in future updates, so proceed cautiously.
Review Dimensions
- Purpose & Capability
- concernThe skill claims Telegram real-time alerts and multi-chain monitoring. The declared required env only lists TELEGRAM_BOT_TOKEN (which is not used anywhere), and the declared required binaries include curl (also not used). The README/SKILL.md instruct users to set ETHERSCAN_API_KEY and BSCSCAN_API_KEY, but those are not declared in requires.env and the shipped Python code uses a built-in default key instead of reading env vars. These mismatches indicate the manifest, docs, and code are inconsistent with each other.
- Instruction Scope
- concernSKILL.md and README show CLI-like commands (/whale-watcher monitor ...) and describe Telegram push alerts and 'real-time' monitoring. The provided whale_monitor.py only prints to stdout and polls Etherscan/BscScan via urllib; it does not implement a CLI dispatch, slash-command integration, Telegram notifications, or any external webhook delivery. The instructions therefore grant capabilities (sending Telegram messages, realtime push) that the code does not implement, which is scope creep / inconsistency.
- Install Mechanism
- noteThere is no install spec (instruction-only), which is lower risk. A Python script is included but there is no automated installer or external downloads. That said, the presence of a code file without an install step means the skill will rely on python3 being present and executed by the agent; there is no remote fetch of arbitrary archives or obscure URLs.
- Credentials
- concernrequires.env declares TELEGRAM_BOT_TOKEN as required, but the code never references it; conversely, the documentation asks users to export ETHERSCAN_API_KEY and BSCSCAN_API_KEY but those keys are not declared as required in the manifest and the code uses a hardcoded default API key. Requiring a Telegram token without using it is disproportionate and misleading; missing declaration of API keys that the docs discuss is also inconsistent.
- Persistence & Privilege
- okalways is false, there are no requested config paths, and the skill does not claim to modify other skills or agent-wide settings. It does not request persistent elevated privileges in the manifest.