ClawHub

BlackClaw

v1.0.0

Real-time crypto risk intelligence; before and as things break. Two tools: Flare (15-min precursor detection, immediate alarms) and Core (60-min state synthesis, context assessment). Free access to the last analysis. No API key required. Upgrade to x402 for custom analysis.

5· 1.7k·7 current·7 all-time
by@bilalmotiwala
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a simple network client for a crypto risk API (Flare/Core), which is coherent with the stated purpose. However, the packaged skill name in the registry is 'BlackClaw' while the SKILL.md and homepage reference 'BlackSwan' (blackswan-mcp). Also the SKILL.md metadata requires the 'curl' binary but the registry metadata lists no required binaries. These inconsistencies suggest sloppy packaging or a copy/paste error and should be clarified before trusting the skill.
Instruction Scope
Runtime instructions are narrowly scoped: they direct the agent to call two public HTTP endpoints on https://mcp.blackswan.wtf and present results. The instructions do not ask the agent to read local files, access environment variables, or contact other external endpoints. The main risk is that the agent will send requests to an external, non-mainstream domain — expected for this type of skill but worth verifying the service's trustworthiness.
Install Mechanism
There is no install spec and no code files (instruction-only), which limits on-disk risk. This is the lowest-risk install pattern. Note: SKILL.md lists a runtime dependency on curl (metadata: requires bins: ["curl"]) whereas the registry metadata earlier said no required binaries — an internal inconsistency to confirm.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That is proportionate for a read-only public API client and reduces risk of secret exfiltration.
Persistence & Privilege
The skill is not marked always:true and is user-invocable (normal). It does not request persistent privileges or system-wide configuration changes.
What to consider before installing
This skill appears to be a simple client for the BlackSwan risk API and does not request secrets, but there are a few red flags to check before installing: 1) Confirm the correct project name — the registry lists 'BlackClaw' while the SKILL.md and homepage reference 'BlackSwan' (possible packaging mistake or copy/paste). 2) Verify the external endpoint (https://mcp.blackswan.wtf) and the GitHub repo (https://github.com/blackswanwtf/blackswan-mcp) yourself — ensure the service is reputable and you’re comfortable the agent calling it. 3) Ensure curl is available or acceptable to be used at runtime (SKILL.md notes it as a required binary). If you need stronger assurance, ask the publisher for the canonical repository link and a brief explanation of the naming mismatch, or run the skill in an isolated environment/network before granting it access to sensitive workflows.

Like a lobster shell, security has layers — review code before you run it.

latestvk977vwkg5phm8nhts9j5az25ad80epc9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments