ClawHub

Token Scan

v1.0.0

Scan token contract security risk and return a structured summary including score, tax, holder concentration, and LP lock status. Supported chains are bsc, e...

0· 107·0 current·0 all-time
byCertiK@certik-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the bundled script and SKILL.md call the public CertiK token-scan API (open.api.certik.com) to retrieve a token risk scan. There are no unrelated credentials, binaries, or services requested.
Instruction Scope
SKILL.md restricts usage to supported chains and instructs validation of addresses and use of the bundled Python script (with a curl fallback). The Python script itself simply performs an HTTP GET and does not perform address-format validation; the SKILL.md places some validation responsibility on the agent. This is a minor mismatch but not malicious.
Install Mechanism
No install spec — instruction-only with a small included Python script. No downloads from arbitrary URLs, no archives extracted, and nothing is written to disk beyond executing the provided script. Low install risk.
Credentials
The skill requests no environment variables, no credentials, and no config paths. It makes outbound HTTPS calls to a single third-party endpoint (CertiK). The network access is proportional to the stated purpose.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills. Autonomous invocation is allowed but is the platform default; this skill does not request elevated persistence.
Assessment
This skill appears to do exactly what it says: it sends the chain and contract address to CertiK's public token-scan API and returns JSON. Before installing, consider: (1) network calls to open.api.certik.com will reveal which contract addresses you query — if that is sensitive for your organization, avoid using it; (2) the script prints raw JSON, so the agent should format/sanitize outputs before exposing them to users; (3) SKILL.md recommends validating address formats but the bundled script does not — ensure the agent performs any required validation; (4) no credentials are requested, so there is no secret-exfiltration risk from this skill itself, but third-party API logging/policy is out of scope. Overall the pieces are coherent and proportionate.

Like a lobster shell, security has layers — review code before you run it.

latestvk97adq5yk9dk3bsdeefd32jgqs83298k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments