BlackClaw
PassAudited by ClawScan on May 1, 2026.
Overview
BlackClaw is a coherent instruction-only skill that performs read-only crypto risk checks against disclosed external endpoints, with no evidence of credential use, local data access, persistence, or mutation.
This skill appears proportionate for its purpose: it fetches public-looking crypto risk summaries from a disclosed external service. Before installing, confirm you trust the BlackSwan service as a source of market-risk information and avoid using its output as an automatic trading or emergency decision trigger.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may contact BlackSwan's external service to retrieve crypto market-risk assessments.
The skill tells the agent how to call external endpoints using curl. These are disclosed, read-only GET requests that match the market-risk intelligence purpose, with no evidence of credential use or local data sharing.
curl -s https://mcp.blackswan.wtf/api/flare curl -s https://mcp.blackswan.wtf/api/core
Use the skill only if you are comfortable relying on this third-party source, and treat returned market analysis as informational rather than as an automatic action trigger.
A user or installer may not see the curl requirement reflected in the registry metadata even though the documented usage depends on it.
The SKILL.md frontmatter declares a curl dependency, while the supplied registry requirements list no required binaries. Because no code is installed and the curl use is explicit, this is a documentation/provenance note rather than a security concern.
metadata: {"emoji": "🦢", "requires": {"bins": ["curl"]}}Align the registry requirements with SKILL.md, and confirm that curl/network access is acceptable before use.