Skillv1.0.6

ClawScan security

CoolTrade 股票行情与分析大师 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 2:20 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested resources and runtime instructions are coherent with its finance/market-data purpose; it only requires a CoolTrade API key and calls the provider's APIs — no unrelated credentials or risky installs are present.
Guidance: This skill appears to do what it says: it calls CoolTrade's APIs and requires your COOLTRADE_API_KEY. Before installing, confirm you trust cooltrade.xyz and are comfortable sending your market queries and stock symbols to that service (they may process data with third‑party models like Claude). Note the API key is embedded in request URLs (potential logging risk) — avoid pasting highly sensitive data into prompts. If you plan to receive alerts via WeChat/Telegram, verify how CoolTrade links to your accounts (the skill does not request your Telegram/WeChat tokens). Rotate the API key if you stop using the skill, and review CoolTrade's privacy/security docs if available. If you want higher assurance, ask the publisher for (1) documentation about how alerts are delivered, (2) confirmation that keys are stored/used securely (not logged), and (3) whether third-party LLMs are used and under what data retention/privacy policy.

Review Dimensions

Purpose & Capability: okThe name/description, SKILL.md, and openclaw.json all describe market data, reports, crypto signals, and alert creation; the only required secret is COOLTRADE_API_KEY which matches the provider URLs. The included index.js simply exposes the openclaw.json skills list — consistent with the declared purpose.
Instruction Scope: noteSKILL.md instructs the user/agent to supply COOLTRADE_API_KEY and to call the CoolTrade endpoints. It references AI-generated daily reports (mentions 'Claude 大模型') and push delivery to WeChat/Telegram, but the skill does not request any WeChat/Telegram credentials — presumably CoolTrade sends notifications via the account's configured channels. This is reasonable but worth noting: user data and queries will be sent to the cooltrade.xyz API and may be processed by CoolTrade and any downstream models they use.
Install Mechanism: okThere is no install script or external download. The package is instruction/configuration-only plus a tiny index.js to load openclaw.json; no binaries or extract-from-URL installs are present.
Credentials: noteOnly one credential is required (COOLTRADE_API_KEY), which is appropriate for this service. Minor concern: openclaw.json places the API key in the URL path (https://api.cooltrade.xyz/.../{{COOLTRADE_API_KEY}}/...), which can lead to key exposure in logs or referer headers; using an Authorization header would be preferable. No other secrets are requested.
Persistence & Privilege: okThe skill does not request permanent/always-on inclusion and does not modify other skills; default autonomous invocation is allowed (platform default) but is not combined with excessive privileges or credentials.