ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apex Crypto Intelligence

v0.2.1

AI-powered multi-exchange crypto market analysis, arbitrage detection, and hedge fund-quality trading reports using live data from major exchanges.

4· 856·0 current·0 all-time
byHlias Staurou@contrario
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (multi-exchange market analysis, arbitrage detection, reports) match the code and SKILL.md. Optional environment variables are exchange API keys that are reasonable for this purpose. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md and client.py instruct the agent to read optional exchange keys from environment variables, fetch market data from exchanges (and CoinGecko), build an aggregated payload, and send only prices/volumes and query text to https://api.neurodoc.app/aetherlang/execute. The code contains a build_api_request function that explicitly omits keys from the payload. Note: the consumer should still verify runtime behavior (e.g., error logging, stack traces, retries) won't inadvertently surface keys — the provided client.py makes that auditable.
Install Mechanism
No install spec (instruction-only skill plus an included Python client). This minimizes automatic installation risk. The SKILL.md lists a python dependency (httpx) but there is no automatic installer; user must provide Python and deps themselves, which is proportionate.
Credentials
No required env vars; optional env vars are standard exchange API key/secret pairs and match the declared names in SKILL.md and client.py. Requiring read-only keys for better data is proportional to the stated function. No other unrelated secrets are requested.
Persistence & Privilege
always is false, no OS restrictions, and the skill does not request system-wide config changes or credentials of other skills. Autonomous model invocation is allowed (platform default) but not combined with excessive privileges here.
Assessment
This skill appears coherent and auditable, but take these precautions before installing or running it with real keys: - Keep exchange API keys strictly read-only (no trading/withdrawal permissions) as recommended. - Review and run the included client.py locally (e.g., python client.py or a dry-run) to inspect the exact outbound payload; verify keys do not appear in logs, error messages, or the built payload. - If you will send any market data to api.neurodoc.app, review that service's privacy policy and trustworthiness; the code sends aggregated prices and query text to that external API. - Install dependencies (httpx) in a isolated environment (venv) and inspect network calls (e.g., with a proxy or network monitor) during initial runs. - If you need a higher assurance level, obtain the referenced GitHub source and compare versions or run the client in an isolated sandbox before using production keys. Confidence is medium because the provided client.py appears to exclude keys from the payload, but full runtime safety depends on how you run it (error handling/logging) and the external API's handling of data.

Like a lobster shell, security has layers — review code before you run it.

aetherlangvk9792rz7ghq2frmkf08cgjtke582c9p5aivk9792rz7ghq2frmkf08cgjtke582c9p5analysisvk970bentfean8vbg2jacythk0182mc4varbitragevk970bentfean8vbg2jacythk0182mc4vbinancevk970bentfean8vbg2jacythk0182mc4vbitcoinvk9792rz7ghq2frmkf08cgjtke582c9p5cryptovk970bentfean8vbg2jacythk0182mc4vlatestvk970bentfean8vbg2jacythk0182mc4vmulti-exchangevk9792rz7ghq2frmkf08cgjtke582c9p5tradingvk970bentfean8vbg2jacythk0182mc4v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments