Back to skill
Skillv1.0.0
ClawScan security
Whale Alert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 11:24 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and instructions match its stated purpose (monitoring large crypto transfers) and do not request unrelated credentials or perform unexpected actions.
- Guidance
- This skill appears coherent and low-risk as provided: it returns simulated whale-transfer data and doesn't access secrets or external endpoints. Before installing or using it for real-time data, ask the author how real API integration and per-call billing are handled (where payments are processed and whether API keys will be required), confirm the runtime environment includes the requests library if network calls are added, and review any future updates that introduce external network requests or new environment variables (those would need scrutiny).
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md, and the included Python script all align: the skill reports simulated whale transfers and indicates an optional integration point (Whale Alert API). Nothing in the code asks for unrelated resources or credentials.
- Instruction Scope
- noteSKILL.md describes monitoring >$100k transfers and charging 0.001 USDT per call. The runtime script returns simulated data and does not access files, env vars, or network endpoints. Note: the per-call billing is declared in metadata/SKILL.md but is not enforced in the script — billing would be handled externally by the platform.
- Install Mechanism
- okNo install spec is provided (instruction-only with a small helper script). Nothing is downloaded or written to disk during install.
- Credentials
- okThe skill declares no required environment variables or credentials. The code references the requests library (imported but unused); if the skill were extended to call external APIs it would legitimately need an API key, but none are requested now.
- Persistence & Privilege
- okalways=false (default). The skill does not request permanent/system-wide presence or modify other skills' configs. Autonomous invocation is allowed by default but is not combined with other concerning factors here.