ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Daily Dashboard

v1.0.1

All-in-one crypto dashboard showing Binance portfolio, BTC/ETH/SOL prices, Fear & Greed index, top funding rates, and economic tracking. Beautiful terminal U...

1· 464·0 current·0 all-time
by@dagangtj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill name/description match the code: it fetches prices, funding rates, Fear & Greed index, and (optionally) Binance account balances. Node is the only required binary and is appropriate. One minor mismatch: the registry metadata lists no required env vars, while SKILL.md and the code require BINANCE_API_KEY and BINANCE_API_SECRET (optional for full functionality) and mention ECONOMIC_TRACKER_PATH; the omission in registry metadata is an inconsistency but not itself harmful.
Instruction Scope
SKILL.md instructs running the included dashboard.js and shows cron usage; the runtime actions match those instructions. All network calls are to the listed public APIs (CoinGecko, Binance endpoints, alternative.me). The code does execute a local Python script when ECONOMIC_TRACKER_PATH is set (via child_process.execSync) and parses its JSON output — this means the skill will execute whatever local script path you provide, which is expected for an optional local economic tracker but is a potential execution risk if the path is untrusted.
Install Mechanism
No install spec or remote downloads are present; files are included in the skill bundle. No external archives or package installs are performed at runtime, so there is low install-time risk.
Credentials
The environment variables used by the code (BINANCE_API_KEY, BINANCE_API_SECRET, ECONOMIC_TRACKER_PATH, TZ, LANG) align with the feature set. Requesting Binance API credentials is proportionate for fetching account balances; the skill recommends read-only API permissions. Registry-level metadata did not declare these required/optional env vars or a primary credential, which is an administrative inconsistency to be aware of.
Persistence & Privilege
The skill does not request 'always' persistence and does not modify other skills or system-wide agent settings. Model invocation is enabled (the platform default), which is normal for an agent-invocable skill. No elevated or persistent privileges are requested by the skill itself.
Assessment
This skill appears to do what it says: it queries public market APIs and can optionally read your Binance balances when you provide BINANCE_API_KEY and BINANCE_API_SECRET. Before installing: 1) If you supply Binance keys, create API keys with read-only permissions only. 2) Be careful with ECONOMIC_TRACKER_PATH — the dashboard will execute the Python script at that path, so only point it at trusted local code. 3) Note the registry metadata omits env var declarations (informational mismatch) — double-check the SKILL.md and code to ensure you set only the needed environment variables. If you're uncertain, run the script in an isolated environment or inspect/modify the dashboard.js source before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk970vt63zhsfjxy417gg80p4w181wh3m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments