Skillv1.0.0

ClawScan security

NFT Mint Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 6, 2026, 1:49 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description claims live NFT tracking and per-call payment, but the bundled code is a local mock that does neither payment enforcement nor live data collection — this mismatch is suspicious and could be deceptive.
Guidance: Do not send money or assume the skill will enforce payments or provide live monitoring. The included python script only prints simulated data and contains no network/payment logic. Before installing or paying: (1) ask the publisher for source that actually fetches live NFT data and proof of payment processing; (2) request code that verifies payments (on-chain tx check or API) and inspect it; (3) run the script in a sandbox and audit for network calls; (4) verify the publisher identity and why a wallet is required; (5) prefer skills that use documented APIs and transparent billing. If the author can supply updated code implementing the advertised features (network fetches, API keys only for the NFT services used, and payment verification), the assessment could be revisited.

Purpose & Capability: concernName/description promise: live tracking (Twitter/community signals) and charging 0.001 USDT to a wallet. Actual footprint: a local script that returns a hard-coded simulated list; no network calls, no Twitter API usage, and no payment enforcement. Requested resources (none) are proportionate, but the features claimed are not implemented.
Instruction Scope: concernSKILL.md tells users to run the included python script and prominently displays a wallet address and per-call fee. The runtime instructions do not show any steps that verify payment or fetch external data, so the documentation asks for payment while the runtime behavior does not require or enforce it — a mismatch that could be misleading.
Install Mechanism: okNo install spec and the only code is a small local Python script (no downloads, no external installers). This is low-risk from an installation/execution mechanism perspective.
Credentials: noteThe skill requests no environment variables or credentials, which is consistent with the bundled local script. However, the SKILL.md includes a crypto wallet for payments (an external money endpoint) despite no code implementing or requiring payment; this is a red flag for potential social-engineering or billing confusion.
Persistence & Privilege: okThe skill does not request persistent or elevated privileges, is not marked always:true, and does not attempt to modify other skills or system settings.