Back to skill
Skillv1.0.0
ClawScan security
Token Sniper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 12:27 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements align with its stated purpose (monitoring new tokens via DexScreener); it makes an expected outbound API call and does not request unrelated credentials or privileged access.
- Guidance
- This skill appears coherent and read-only: it queries DexScreener and formats results. Before installing, note: (1) it will make outbound requests to api.dexscreener.com — ensure you are comfortable with that network access; (2) the skill does not implement any payment or wallet operations itself (the SKILL.md/pricing indicates platform billing), and it does not sign or send blockchain transactions, so do not assume it can execute trades; (3) the script requires Python and the 'requests' package to run; (4) exercise normal caution with financial signals—do not provide private keys or secrets, and verify results independently before acting on trading advice.
Review Dimensions
- Purpose & Capability
- okName/description claim new-token monitoring; included Python script calls DexScreener API and formats discoveries. No unrelated credentials, binaries, or install steps are requested—capabilities match the stated purpose.
- Instruction Scope
- okSKILL.md describes monitoring and pricing but does not instruct the agent to read unrelated files or exfiltrate data. The runtime script only issues an outbound GET to a public DexScreener endpoint and formats results; it does not access local secrets, wallet keys, or system paths.
- Install Mechanism
- okNo install spec included (instruction-only with a small script). There are no downloads from arbitrary URLs, no extract/install steps, and no third-party packages are pulled by an installer. The script requires the requests library but installation is not forced by the skill.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. The code does not reference any environment variables or secrets. This is proportionate to a read-only token-monitoring tool.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system presence or modify other skills' configs. It can be invoked normally and has no special privileges.