v1.0.0

Gas Tracker

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:32 AM.

Analysis

The gas tracker functionality is mostly straightforward, but the artifacts make automatic USDT billing and deduction claims that are not verifiably implemented in the included code.

GuidanceBefore installing, confirm how the 0.001 USDT fee is actually charged and whether you can set a spending limit. The gas-price lookup itself is simple and purpose-aligned, but the payment-success message should not be trusted unless the platform provides a verifiable receipt or confirmation.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/gas_tracker.py

✅ 已扣费 0.001 USDT

The script prints a successful deduction in every normal formatted result, while the included source does not show a SkillPay call or any payment-status verification before making that claim.

User impactA user or agent could be misled about whether a financial charge actually occurred or was successfully verified.

RecommendationOnly report a deduction after a verifiable payment confirmation, or clearly state that billing is handled externally by the marketplace; add explicit confirmation, receipts, and spending limits for paid invocations.

Tool Misuse and Exploitation

SeverityInfoConfidenceHighStatusNote

scripts/gas_tracker.py

requests.get("https://api.blocknative.com/gasprices/blockprices", ...)
requests.get("https://www.etherchain.org/api/gasPriceOracle", timeout=5)

The script contacts external gas-price APIs. This is expected for a real-time gas tracker, but it is still external network behavior users should be aware of.

User impactUsing the skill can contact third-party gas-data providers, exposing at least normal network metadata such as IP address and request timing.

RecommendationUse the skill only if you are comfortable with the listed external data sources; maintainers should document these endpoints clearly.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

使用SkillPay API自动收费：
- 用户余额不足时返回支付链接
- 收款自动到账BNB Chain钱包

The skill declares intended automatic billing and balance/payment-link behavior. The amount is disclosed, but it still represents payment authority tied to each invocation.

User impactIf the platform enforces this billing, repeated invocations may debit the user's balance by 0.001 USDT per call.

RecommendationVerify the marketplace billing terms before installing, and prefer skills that provide per-call confirmation, receipts, and user-configurable spending caps.