Back to skill
Skillv1.0.0
ClawScan security
Crypto Market Report using CoinMarketCap MCP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 1:38 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions align with its stated purpose (generating a CoinMarketCap MCP-based market report) and it does not ask for unrelated credentials or install code.
- Guidance
- This skill appears coherent: it simply directs the agent to call CoinMarketCap MCP tools and format a report. Before installing, ensure you (or your platform) only provide a CMC MCP API key if you trust the skill and the host environment that will execute these tool calls. Confirm where the X-CMC-MCP-API-KEY will be stored/entered (agent config vs. environment) and whether access is logged/audited. If you need stronger guarantees, ask the skill author to declare the required env var in metadata and to provide an explicit privacy note about what data (if any) is logged or transmitted beyond CoinMarketCap MCP endpoints.
Review Dimensions
- Purpose & Capability
- okName, description, and allowed-tools all describe pulling CoinMarketCap MCP metrics and building a market report; the listed tool calls and required data (global metrics, derivatives, narratives, quotes) match the stated purpose.
- Instruction Scope
- okSKILL.md only instructs calling specific MCP tools and formatting a report. It does not ask the agent to read unrelated files, harvest other environment variables, or send data to unexpected endpoints. Failure handling is scoped to skipping or retrying tool calls.
- Install Mechanism
- okThere is no install spec and no code files; this is an instruction-only skill, so nothing is written to disk or fetched during install.
- Credentials
- noteThe skill does not declare required env vars in metadata, but SKILL.md shows the MCP connection requires an X-CMC-MCP-API-KEY in a service config. This is proportionate to the task (an API key for CoinMarketCap), but the metadata omission is a minor inconsistency to be aware of.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed (platform default) and is appropriate for a user-invocable reporting skill.