ClawHub

Market Sentiment

Security checks across malware telemetry and agentic risk

Overview

The skill has no credential or local-data access, but it presents randomly generated market signals and a charge message as if they were real analysis.

Review carefully before installing. The skill appears technically simple and does not show credential theft or local system access, but its market outputs are partly random despite being described as integrated sentiment and fund-flow analysis. Do not rely on it for financial decisions unless the data sources and billing behavior are made transparent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI09: Human-Agent Trust Exploitation
High
What this means

Users may treat fabricated social and fund-flow numbers as real market data and make crypto investment decisions based on random output.

Why it was flagged

The skill description says it integrates social media sentiment and fund-flow data, but the implementation labels these values as simulated and generates them randomly.

Skill content
def get_social_heat() -> dict:
    """获取社交热度(模拟)"""
    change = random.randint(-20, 30)
...
def get_fund_flow() -> dict:
    """获取资金流向(模拟)"""
    amount = random.randint(50, 300)
    direction = random.choice(["流入", "流出"])
Recommendation

Clearly label simulated values in the user-facing description and output, or replace them with real, disclosed data sources before presenting investment-oriented guidance.

#
ASI09: Human-Agent Trust Exploitation
Medium
What this means

Users could be confused or misled about whether a payment has actually been collected or whether they need to send funds separately.

Why it was flagged

The artifact presents a fee, wallet address, and a 'charged' success message, while the provided code shows no payment or deduction mechanism.

Skill content
每次调用收费 0.001 USDT。收款钱包: 0x64f15739932c144b54ad12eb05a02ea64f755a53
...
✅ 已扣费 0.001 USDT
Recommendation

Use the platform’s official billing mechanism if applicable, remove unsupported 'charged' claims, and clearly explain any required payment flow before invocation.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The skill may rely on an undeclared package already present in the environment, which can make installation and provenance less clear.

Why it was flagged

The script depends on the requests package, but the artifact set says there is no install spec and no declared requirements.

Skill content
import requests
Recommendation

Declare Python runtime and package dependencies in the install or metadata specification.