Skillv1.0.1

ClawScan security

Crypto Market Intel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 13, 2026, 4:40 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested resources are consistent with its stated purpose of fetching public market data from free APIs and do not request unrelated credentials or hidden endpoints.
Guidance: This skill appears coherent and low-risk for its stated purpose, but review a few practical points before installing: (1) the scripts write JSON to a local directory (default ~/market-data) — ensure you want those files and the directory has appropriate permissions; (2) Yahoo Finance endpoints used are unofficial and may be unreliable or rate-limited, so follow the fair-use guidance and consider lower fetch frequency or caching; (3) run the scripts in a limited environment (non-root, sandbox) if you want extra safety; (4) if you plan to schedule via cron, double-check the cron entry and output paths. If you need higher assurance, inspect/run the included scripts in a safe environment to confirm behavior.

Purpose & Capability: okName/description claim free market data with zero API keys; the package includes a Python fetcher and a shell wrapper that only call public APIs (CoinGecko, Alternative.me, DeFi Llama, Yahoo Finance) and produce JSON output — all requested resources match the stated purpose.
Instruction Scope: okSKILL.md instructs the agent to run the included scripts and optionally schedule them via cron. The scripts only perform HTTP GETs to documented public endpoints and write structured JSON to an output directory; they do not read unrelated local files or access environment secrets.
Install Mechanism: okNo install spec is provided (instruction-only install) and bundled code is plain Python/shell. Nothing is downloaded from external installers or executed from arbitrary archives; the fetcher uses Python's stdlib urllib with no external dependencies.
Credentials: okThe skill requires no environment variables, credentials, or config paths. Network access is necessary for its purpose; there are no requests for unrelated keys or secrets.
Persistence & Privilege: okalways:false and user-invocable:true (defaults). The skill does not request permanent elevated privileges, does not modify other skills, and only writes output files to a user-specified directory (default ~/market-data).