BlackClaw
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may contact BlackSwan's external service to retrieve crypto market-risk assessments.
The skill tells the agent how to call external endpoints using curl. These are disclosed, read-only GET requests that match the market-risk intelligence purpose, with no evidence of credential use or local data sharing.
curl -s https://mcp.blackswan.wtf/api/flare curl -s https://mcp.blackswan.wtf/api/core
Use the skill only if you are comfortable relying on this third-party source, and treat returned market analysis as informational rather than as an automatic action trigger.
A user or installer may not see the curl requirement reflected in the registry metadata even though the documented usage depends on it.
The SKILL.md frontmatter declares a curl dependency, while the supplied registry requirements list no required binaries. Because no code is installed and the curl use is explicit, this is a documentation/provenance note rather than a security concern.
metadata: {"emoji": "🦢", "requires": {"bins": ["curl"]}}Align the registry requirements with SKILL.md, and confirm that curl/network access is acceptable before use.