Back to skill
v1.0.3
GM3 Alertworthy Feed
BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:27 AM.
Analysis
This is a simple read-only market-data API skill, with the main thing to notice being that it requires a GM3 API key even though the registry metadata does not declare one.
GuidanceThis skill appears benign and limited to reading a GM3 market-data endpoint. Before installing, make sure you are comfortable giving the agent access to a GM3 Developer API key, store the key securely, and verify that any consuming agent does not treat the feed as automatic trading advice.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Permission boundary
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
This skill requires a GM3 Developer API key. Requests must include the following header: Authorization: Bearer gm3_key_...
The skill requires an API credential for the GM3 service. This is expected for a paid read-only feed, but it is still sensitive account access that should be handled as a secret.
User impactIf installed, an agent may need access to a GM3 API key to call the feed. Mishandling that key could expose the user's GM3 entitlement.
RecommendationUse a scoped GM3 API key if available, store it only in the platform's secret manager, and avoid sharing outputs or logs that include the Authorization header.