Skillv1.0.0

ClawScan security

Crypto Short Signal Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 5, 2026, 3:04 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (paid public layer calling a paid API) matches its description, but the package embeds a hard-coded SkillPay API key and registry metadata contradicts the skill's own config, which is disproportionate and risky.
Guidance: This skill implements a paid public layer and forwards requests to a paid API, which is coherent with its description — but the repository contains a hard-coded SkillPay API key and its metadata claims no required env vars while config.json marks SKILLPAY_API_KEY as required. Before installing: (1) Do not trust or use the embedded API key — treat it as leaked/compromised; prefer to set your own SKILLPAY_API_KEY in the environment. (2) If you plan to deploy or pay for this skill, rotate any keys the author published and avoid using their credentials. (3) Consider running the paid layer (api.js) on infrastructure you control or confirm SkillPay/author trustworthiness. (4) Review network endpoints and logs to ensure user identifiers or other sensitive data are not being sent anywhere unexpected. (5) Be cautious using this for live trading — the skill includes a disclaimer and historical metrics but trading risk and legal/regulatory concerns remain. If you need a safer posture, request the author remove embedded keys and update the registry metadata to declare required env vars correctly, or refuse to install the skill.
Findings: [hardcoded_api_key_in_config] unexpected: config.json contains a SkillPay API key (sk_...) embedded in the repository. A paid-skill should require the operator to provide their own key via SKILLPAY_API_KEY rather than shipping an operational key. [hardcoded_api_key_in_code] unexpected: index.js and api.js both fallback to a hard-coded API key when process.env.SKILLPAY_API_KEY is absent. This makes the embedded key usable by anyone who deploys the skill unmodified. [external_billing_api_calls] expected: index.js and api.js call SkillPay billing endpoints (https://skillpay.me/api/v1/billing) to charge users — expected for a paid two-layer skill. [embedded_token_database] expected: api.js includes a small hard-coded TOKEN_DATABASE used to produce sample responses; reasonable for demo data but limited compared to claimed core 'database' in SKILL.md.

Review Dimensions

Purpose & Capability: noteThe skill is a paid two-layer crypto signal generator and the code implements billing and a paid API call, which is consistent with the stated purpose. However, the registry metadata supplied to the evaluator lists no required environment variables or credentials while config.json and the code declare SKILLPAY_API_KEY as required — a clear metadata/requirement mismatch.
Instruction Scope: okSKILL.md and the code limit runtime actions to billing (SkillPay) and calling the paid analysis API; they do not instruct reading unrelated system files or environment variables beyond SkillPay-related settings. The public layer validates input, charges users, and forwards requests to the paid layer as described.
Install Mechanism: okThere is no install spec (instruction-only install) and only Node.js source files are included. No external arbitrary download URLs or unusual installers are used. This is low-risk from an install mechanism perspective.
Credentials: concernThe bundle contains an embedded SkillPay API key in config.json and both index.js/api.js default to that same key if SKILLPAY_API_KEY is not set. The registry metadata claims no required env vars, but config.json marks SKILLPAY_API_KEY as required. Hard-coded operational keys in the repo are disproportionate and dangerous (credential leak / potential misuse).
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or system-wide configuration, and is user-invocable only. It does not request elevated persistence or cross-skill privileges.