Back to skill
Skillv1.0.1
ClawScan security
Crypto Daily Dashboard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 10:50 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with a terminal crypto dashboard: it uses Node, reads optional Binance API keys for balances, queries public market APIs, and optionally runs a local economic tracker; there are no hidden network endpoints or download installs, but a few metadata and execution cautions deserve attention.
- Guidance
- This skill appears to do what it says: it queries public market APIs and can optionally read your Binance balances when you provide BINANCE_API_KEY and BINANCE_API_SECRET. Before installing: 1) If you supply Binance keys, create API keys with read-only permissions only. 2) Be careful with ECONOMIC_TRACKER_PATH — the dashboard will execute the Python script at that path, so only point it at trusted local code. 3) Note the registry metadata omits env var declarations (informational mismatch) — double-check the SKILL.md and code to ensure you set only the needed environment variables. If you're uncertain, run the script in an isolated environment or inspect/modify the dashboard.js source before use.
Review Dimensions
- Purpose & Capability
- noteThe skill name/description match the code: it fetches prices, funding rates, Fear & Greed index, and (optionally) Binance account balances. Node is the only required binary and is appropriate. One minor mismatch: the registry metadata lists no required env vars, while SKILL.md and the code require BINANCE_API_KEY and BINANCE_API_SECRET (optional for full functionality) and mention ECONOMIC_TRACKER_PATH; the omission in registry metadata is an inconsistency but not itself harmful.
- Instruction Scope
- noteSKILL.md instructs running the included dashboard.js and shows cron usage; the runtime actions match those instructions. All network calls are to the listed public APIs (CoinGecko, Binance endpoints, alternative.me). The code does execute a local Python script when ECONOMIC_TRACKER_PATH is set (via child_process.execSync) and parses its JSON output — this means the skill will execute whatever local script path you provide, which is expected for an optional local economic tracker but is a potential execution risk if the path is untrusted.
- Install Mechanism
- okNo install spec or remote downloads are present; files are included in the skill bundle. No external archives or package installs are performed at runtime, so there is low install-time risk.
- Credentials
- noteThe environment variables used by the code (BINANCE_API_KEY, BINANCE_API_SECRET, ECONOMIC_TRACKER_PATH, TZ, LANG) align with the feature set. Requesting Binance API credentials is proportionate for fetching account balances; the skill recommends read-only API permissions. Registry-level metadata did not declare these required/optional env vars or a primary credential, which is an administrative inconsistency to be aware of.
- Persistence & Privilege
- okThe skill does not request 'always' persistence and does not modify other skills or system-wide agent settings. Model invocation is enabled (the platform default), which is normal for an agent-invocable skill. No elevated or persistent privileges are requested by the skill itself.