Back to skill
Skillv2.0.0
ClawScan security
Crypto Tracker Cn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:50 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and resource access are consistent with a local crypto-market tracker that uses free public APIs and stores simple user data locally; nothing requested is disproportionate to its stated purpose.
- Guidance
- This skill appears to do what it says: query public crypto APIs and provide CLI helpers. Before running, review the bundled scripts yourself (they are included) and be aware they will create/update files in your home directory (~/.crypto-tracker and under ~/.local/share/crypto-tracker-cn by default). The network calls go only to CoinGecko, DefiLlama, and Alternative.me (expected). If you plan to run it on a sensitive machine, consider running in an isolated environment (container or VM) or inspect/modify the scripts to change the data directory. Note: one script snippet in the provided manifest was truncated — verify the full scripts in the repository to ensure there are no bugs or incomplete code paths before use.
Review Dimensions
- Purpose & Capability
- okName/description match the included scripts: the skill queries CoinGecko, DefiLlama, and Alternative.me for market, trending, fear/greed, DeFi TVL, etc. It requests no credentials and no unusual binaries. The included portfolio/alerts features explain the need for local persistence (storing JSON files).
- Instruction Scope
- noteSKILL.md keeps scope to crypto market checks and example CLI usage. The bundled scripts create and write files under user data directories (~/.crypto-tracker and ~/.local/share/crypto-tracker-cn) for portfolio/alerts/history; the SKILL.md does not explicitly call this out. This is expected for a portfolio/alert feature but users should be aware of local file writes.
- Install Mechanism
- okThere is no install spec (instruction-only skill). No downloads or external installers are used. Code files are bundled with the skill; nothing in the manifest indicates fetching code from untrusted URLs or executing remote installers.
- Credentials
- okNo required environment variables or credentials are declared. Scripts respect XDG_DATA_HOME / HOME / CRYPTO_TRACKER_CN_DIR for data location and access only public API endpoints (api.coingecko.com, api.llama.fi, api.alternative.me). No secrets or unrelated credentials are requested.
- Persistence & Privilege
- noteThe skill persists user data (portfolio.json, alerts.json, logs) in user data directories. It does not request elevated privileges, modify other skills, nor force inclusion (always:false). Users should expect local files to be created and updated when using portfolio/alert/history features.