Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TA Radar
v1.2.0Multi-Dimensional Technical Analysis Radar for cryptocurrencies. Supports spot trading pairs (Binance/Gate.io) and on-chain contract addresses (via DexScreen...
⭐ 0· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (TA Radar for crypto) align with the described data sources (Binance, Gate.io, DexScreener) and the indicators computed. However SKILL.md metadata lists an install command 'pip install -r requirements.txt' while README and the embedded script claim 'zero-dependency' pure-Python operation and no requirements.txt is present in the manifest — this inconsistency is unexplained.
Instruction Scope
The agent is instructed to write a full Python script to /tmp and execute it, then delete it. Running code supplied inside the SKILL.md is expected for instruction-only skills but is higher-risk than simple API calls because the embedded script can perform arbitrary I/O and network requests. From the visible parts the script fetches only the listed public endpoints (api.binance.info, api.gateio.ws, allorigins.win→DexScreener). I could not inspect the entire embedded script (it was truncated in the provided SKILL.md), so unknown behavior may exist. The instruction to return the script's full stdout unchanged may expose unexpected local details if the script prints them.
Install Mechanism
There is no separate install spec and no archived downloads; runtime network calls happen only during script execution. The presence of an install command in the SKILL.md metadata (pip install -r requirements.txt) conflicts with the 'zero-dependency' claim and with the manifest (no requirements.txt). No high-risk installer URLs or extracted archives are present.
Credentials
Declared environment variables are minimal and appropriate: TA_SYMBOL (required) and TA_INTERVAL (optional). The skill does not request secrets or credentials and the visible script only reads those vars. No evidence the skill asks for unrelated credentials or system config paths.
Persistence & Privilege
The skill is not set to always:true and does not request persistent system-level changes. It writes a temporary file to /tmp and deletes it; no installation of persistent daemons or modification of other skills is indicated.
What to consider before installing
This skill largely looks like what it says (a crypto TA tool), but there are three reasons to be cautious: (1) SKILL.md asks the agent to write and run a long embedded Python script — running code embedded in a skill is more powerful and riskier than just calling an API; (2) the metadata claims 'pip install -r requirements.txt' while the package claims zero-dependency and no requirements.txt is present — ask the maintainer to clarify or show the repository and requirements.txt before installing; (3) I could not inspect the entire embedded script (it was truncated here), so review the full script to ensure it doesn't call unexpected endpoints, exfiltrate data, or read local files. Recommended precautions: run the skill only in an isolated/sandboxed environment (or review the full embedded script first), verify the repository/source code on GitHub, and confirm there are no hidden endpoints or calls beyond the listed public APIs (Binance, Gate.io, DexScreener via allorigins.win). If you rely on it for real funds, consider running the script locally yourself after manual code review rather than allowing autonomous agent execution.Like a lobster shell, security has layers — review code before you run it.
latestvk973qtgpkpdtswzsxme23f781n84ptec
License
MIT-0
Free to use, modify, and redistribute. No attribution required.