Skillv1.0.1

ClawScan security

Marsbit News · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 11:12 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only wrapper for Marsbit's public news API and its declared inputs/behavior align with that purpose.
Guidance: This skill is an instruction-only adapter for Marsbit's public news API and appears internally consistent. Before installing, consider: 1) You will be sending user queries to https://api.marsbit.co — if you have privacy concerns, avoid or block that domain. 2) The package has no homepage listed in the registry metadata, though SKILL.md points to news.marsbit.co; if you need provenance, verify the Marsbit site independently. 3) No credentials are requested, so there is no secret-exfiltration risk from env vars, but the agent will transmit query text to the Marsbit API when invoked. 4) Because the skill can be invoked autonomously by the agent (normal default), ensure you trust the agent's permission model if you do not want automatic network calls.

Purpose & Capability: okName/description (crypto/Web3 news) match the documented endpoints (articles, flashes, search) under https://api.marsbit.co/info/ai. The skill requests no unrelated binaries, credentials, or config paths.
Instruction Scope: okSKILL.md only describes calling Marsbit HTTP endpoints and how to present results. It does not instruct reading local files, environment variables, or posting data to unrelated external endpoints.
Install Mechanism: okNo install spec or code files are present (instruction-only). Nothing is downloaded or written to disk by the skill itself.
Credentials: okThe skill requires no environment variables or credentials. The declared primary sources are the public Marsbit API endpoints, which is proportionate to a news retrieval skill.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request elevated or persistent platform privileges.