Back to skill
Skillv1.0.0
ClawScan security
Crypto Alpha Daily Intelligence · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 29, 2026, 9:05 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's documentation and runtime instructions clearly expect API keys and a Node.js project, but the registry metadata declares no required credentials or install steps — the mismatch is suspicious and warrants clarification before use.
- Guidance
- Do not install or supply secrets yet. The skill's docs expect OpenAI and NewsAPI keys and a Node.js project, but the registry declares none and the source repo is unknown. Ask the publisher for: (1) the canonical source repository or release URL, (2) an explicit list of required environment variables and why each is needed, and (3) whether any code will run on your systems (and what exact commands). If you decide to proceed, only provide API keys via a platform secret manager (not pasted into chat), verify the published repository contents match the README, and avoid giving keys for social or trading accounts until you can review the code. If the publisher cannot supply a trustworthy repo or a clear justification for credentials, treat the skill as untrusted.
Review Dimensions
- Purpose & Capability
- concernThe skill claims to aggregate crypto news and run AI analysis (NewsAPI, OpenAI are referenced in SKILL.md/README). However, the registry metadata lists no required environment variables or credentials. A news-aggregator that calls external APIs legitimately needs API keys; the absence of declared credentials is inconsistent.
- Instruction Scope
- concernSKILL.md/README instructs fetching external news APIs, using OpenAI for analysis, running cron scheduling, and running node index.js. It also references creating a .env and agent.config.json. Those instructions imply reading/writing env config and contacting external services; the skill registry does not declare or limit that access, creating scope ambiguity.
- Install Mechanism
- noteThe registry lists no install spec and there are no code files delivered with the skill, which is lower risk. However the README contains typical project install/run steps (git clone, npm install, node index.js) and references a repo; this is inconsistent with the skill being instruction-only and with 'source: unknown'.
- Credentials
- concernThe README explicitly asks for OPENAI_API_KEY and NEWS_API_KEY (and references future social API keys), but the skill declares no required env vars or a primary credential. Requesting API keys for multiple external services without declaring them is disproportionate and could hide secret usage or exfiltration paths.
- Persistence & Privilege
- okThe skill does not request always:true and does not claim to modify other skills or system settings. It mentions cron scheduling for automation, which is expected for a daily-report agent, but the registry provides no install to create such a schedule — clarify where/when scheduling would be configured.