Back to skill
Skillv0.1.0
ClawScan security
Satoshi API — Bitcoin Intelligence · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 3:56 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent with its stated purpose: it queries bitcoinsapi.com endpoints for Bitcoin data and does not request unrelated credentials or access; only minor implementation/packaging quirks are present.
- Guidance
- This skill appears to do what it says: fetch public Bitcoin data from bitcoinsapi.com. Before installing, consider: 1) verify the provenance of the 'uv' brew formula (ensure it’s the expected tool) and that you trust bitcoinsapi.com for data and privacy policy; 2) the Python script lists httpx as a dependency but the install step does not install it—ensure you have Python (>=3.10) and httpx installed in the environment where 'uv run' executes; 3) no secrets should be sent to this skill — avoid pasting private keys or wallet seeds into the address command; and 4) if you’re concerned about autonomous calls to an external API, you can disable autonomous invocation or review calls in a sandboxed environment first.
Review Dimensions
- Purpose & Capability
- okName/description match behavior: the script calls bitcoinsapi.com endpoints for fees, mempool, price, block, address, and halving information. No unrelated services, credentials, or system resources are requested.
- Instruction Scope
- okSKILL.md instructs running the bundled Python script via the 'uv' binary; the runtime instructions only perform network requests to bitcoinsapi.com and print results. The instructions do not attempt to read arbitrary files, environment secrets, or other system state.
- Install Mechanism
- noteInstall spec only installs a brew formula 'uv' which provides the required binary. This is a reasonable, limited install method. Minor packaging gap: the script declares a Python dependency (httpx) in its header but the install spec does not install Python or httpx — callers must ensure a compatible Python environment and httpx are available.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. That is proportionate to simply calling a public HTTP API for read-only Bitcoin data.
- Persistence & Privilege
- okSkill is not always-included and uses default autonomous-invocation behavior. It does not modify other skills or system-wide settings, and does not request elevated privileges.