Apex Crypto Intelligence
PassAudited by ClawScan on May 10, 2026.
Overview
The skill’s behavior matches its crypto market-analysis purpose, but users should notice the optional exchange API keys and external AI API data sharing.
This appears reasonable for a crypto market-analysis skill. Before using it, verify the Python client, use only read-only exchange API keys with no trading or withdrawal permissions, and avoid putting personal or account-specific secrets into queries sent to the external API.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user provides exchange keys with trading or withdrawal permissions, those credentials could carry more account authority than this analysis task needs.
The client reads exchange API credentials from environment variables and sends them to the relevant exchange API for market-data access. This fits the stated purpose, but crypto exchange credentials are sensitive.
api_key, api_secret = get_exchange_keys("BYBIT") ... "X-BAPI-API-KEY": api_keyUse newly created read-only API keys only, disable trading and withdrawals, consider IP restrictions where supported, and revoke keys when no longer needed.
Queries entered into the skill and market data context are shared with the external NeuroDoc/NeuroAether API.
The skill discloses an external provider data flow. This is expected for its AI reporting function, but user query text and aggregated market data leave the local machine.
Only market data (prices, volumes) and query text are sent to `api.neurodoc.app` for AI analysis.
Avoid including personal information, wallet addresses, private strategy details, or account-specific secrets in queries unless you are comfortable sending them to that provider.
Users have less registry-level assurance about provenance and runtime setup than they would with a fully declared package.
The registry-level provenance and install metadata are sparse even though the package includes a Python client. The provided artifacts do not show hidden installation or remote-script execution, but users should verify the included code/source before use.
Source: unknown ... No install spec — this is an instruction-only skill.
Review the included client.py and confirm the claimed upstream source before providing exchange credentials.