v1.0.3

土狗气象台

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:34 AM.

Analysis

This instruction-only skill appears to fetch public trend and Web3 market data, with minor privacy, provenance, and token-bias points users should notice.

GuidanceBefore installing, be comfortable with the agent using curl to contact tugoumeme.fun and web3.binance.com. Avoid entering wallet addresses or topics you consider private, and independently verify any token mapping or market conclusion before acting on it.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

curl -s "https://tugoumeme.fun/api/messages?page=1&page_size=20" ... curl --location "https://web3.binance.com/bapi/defi/v5/public/wallet-direct/buw/wallet/market/token/search?keyword=pepe..."

The skill directs the agent to use curl for external API calls. This is central to the skill's stated purpose and the endpoints are disclosed, but users should know the agent may make these network requests.

User impactWhen invoked, the agent may contact the listed public services to retrieve trend and token data.

RecommendationInstall only if you are comfortable with the agent making these disclosed public web requests; review generated commands if you need tight network control.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

并且用户明确给出 CA：`0xeccbb861c0dda7efd964010085488b69317e4444` ... 视为高置信度锚点

The instructions include a specific contract address as a high-confidence Chinese-topic anchor. It does not instruct buying or trading, but it could bias analysis toward that token if users treat it as an endorsement.

User impactThe agent may treat that specific contract-address mapping as stronger evidence in relevant meme-topic analysis.

RecommendationVerify any hardcoded token mapping independently and do not treat skill instructions as investment advice.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown
Homepage: none

The registry does not provide a source repository or homepage. The provided artifact is instruction-only and does not show hidden code, so this is a provenance note rather than a behavioral concern.

User impactUsers have less external context for who maintains the skill or where to audit changes outside the registry artifact.

RecommendationPrefer installing from publishers you trust, and re-check the SKILL.md content after updates.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

检查某个 token / CA / 地址值不值得继续跟 ... wallet holdings ... smart money

The skill includes token, contract-address, and wallet/address lookups through external Binance Web3/public data workflows. Wallet addresses are public-chain data, but queries can still reveal user interests or associations to the external provider.

User impactToken or wallet/address lookups may be sent to external public API providers.

RecommendationAvoid submitting wallet addresses or topics you consider sensitive, and assume external services can observe those queries.