Skillv1.0.0

ClawScan security

Crypto Price Checker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 5, 2026, 11:24 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill does what it says (fetches prices from CoinGecko and integrates a payment step) and contains no obvious misdirection, but the packaging is incomplete and the external payment integration is underspecified—review before use.
Guidance: This skill appears to implement its stated purpose, but before installing or running it: (1) Verify and trust the SkillPay implementation—the script imports a shared/skillpay module that is not included and could make network/payment calls; (2) Ensure you run it in a safe environment (it makes outbound requests to CoinGecko and may call payment endpoints); (3) Install the missing Python dependency (requests) in a controlled environment; (4) Confirm the hard-coded recipient wallet is acceptable; (5) If you allow autonomous invocation for agents, be aware the skill may trigger payment logic—review the actual shared/skillpay code (if present) to see what it does. If you cannot inspect the SkillPay module, treat the payment behavior as untrusted and run only the script's read-only parts in a sandbox.

Purpose & Capability: okName/description match the code: the script queries CoinGecko for prices, 24h change and volume and reports a hard-coded recipient wallet for a 0.001 USDT fee. No unrelated permissions or credentials are requested.
Instruction Scope: noteSKILL.md instructs running the included Python script and mentions SkillPay billing. The runtime instructions do not ask for unrelated system files or secrets. However, the payment integration depends on an external 'shared/skillpay' module (not included) which could perform additional actions; in its absence the script uses a harmless test stub.
Install Mechanism: noteThere is no install spec (instruction-only plus a bundled script). The Python script requires the 'requests' package but dependencies are not declared—this is a packaging/maintenance gap rather than malicious behavior.
Credentials: noteNo environment variables or credentials are declared or required by the skill. That said, the SkillPay integration (external module) could internally require or use credentials or network access; those requirements are not declared in SKILL.md or registry metadata.
Persistence & Privilege: okThe skill does not request persistent or elevated privileges, does not set always:true, and does not modify system or other-skill configurations.