Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
WhaleWatch CLI
v0.1.0Agent-native whale wallet tracker for ETH and BTC chains. Track large crypto wallet movements, score whale activity, detect accumulation/distribution pattern...
⭐ 0· 504·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (whale wallet tracker for ETH/BTC) matches the shipped SKILL.md and the wrapper script, which simply calls a 'whalecli' command-line tool and parses JSON. The SKILL.md documents expected APIs (Etherscan, mempool.space) and external integrations (Simmer/FearHarvester) that are consistent with the stated purpose.
Instruction Scope
Runtime instructions and the helper script limit themselves to invoking 'whalecli' and printing/parsing results. However, SKILL.md documents alert webhooks and an automated trigger model (periodic heartbeats, pre-bet checks) — these introduce the possibility of sending scan results to external endpoints (user-specified webhooks) and of the agent autonomously running the skill. The code included does not read unrelated system files or environment variables, but users should be aware that configuring arbitrary webhooks can transmit on-chain/wallet data externally.
Install Mechanism
This is an instruction-only skill with a small helper script; there is no install spec in the registry. SKILL.md suggests pip installing 'whalecli' from PyPI/GitHub (links provided). That is a normal, expected install flow for a CLI wrapper; no unusual download-from-random-URL behavior is present in the packaged files. (Note: the SKILL.md contains a likely-typo install line 'uv pip install whalecli'.)
Credentials
The skill declares no required env vars and the script reads none. SKILL.md does instruct storing an Etherscan API key in ~/.config/whalecli/config.toml (a local config file) — that is proportional to its function. There is a mild mismatch between declared requirements (none) and the practical requirement that users supply an Etherscan API key for ETH features; no unrelated credentials are requested.
Persistence & Privilege
always:false and normal model invocation are used (no forced always-on behavior). The skill does not attempt to change other skills or system-wide settings. The only persistent artifact described is a local config file (~/.config/whalecli/config.toml), which is a reasonable and limited persistence for a CLI tool.
Assessment
This skill appears to be what it claims: a thin agent wrapper that runs a separate 'whalecli' tool and parses its JSON. Before installing or enabling autonomous use: 1) verify the external 'whalecli' package (PyPI/GitHub links in SKILL.md) to ensure you trust that code; 2) be aware that alerts can be configured to post to arbitrary webhooks — those endpoints will receive on-chain/wallet data, so only configure trusted URLs; 3) the skill expects an Etherscan API key stored in a local config file (not as a required env var) — supply keys only if you accept that access; 4) SKILL.md references automatic triggers and betting integrations (Simmer/Polymarket) — if you allow the agent to invoke the skill autonomously, decide whether automatic scans or pre-bet checks are acceptable in your environment. If you want higher assurance, inspect the upstream 'whalecli' package source on GitHub/PyPI before running pip install.Like a lobster shell, security has layers — review code before you run it.
latestvk979904mfffhqbfd30cveyfek581nw90
License
MIT-0
Free to use, modify, and redistribute. No attribution required.