Back to skill
Skillv1.0.2
ClawScan security
Cryptocurrency Market Live Briefing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 7:27 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent: it requires Node, contains scripts that make direct calls only to Desk3 API endpoints, asks for no credentials, and its requested resources match the described purpose.
- Guidance
- This skill appears to do what it says: it runs Node scripts that call Desk3 endpoints and print market data. Before running, verify you trust the Desk3 domains (https://api1.desk3.io and https://mcp.desk3.io) and are comfortable allowing outbound HTTP from the environment where you run these scripts. Ensure you have a Node runtime (Node 18+ for built-in fetch) or add a fetch polyfill if needed. Because the source/registry owner is unknown, you may prefer to inspect the included .mjs files locally (they are present and readable) and run them in an isolated environment (or container) if you have concerns. No credentials appear to be requested or exfiltrated by the code.
Review Dimensions
- Purpose & Capability
- okThe name/description promise real-time crypto prices, indicators and news from Desk3; the code exclusively calls Desk3 domains (api1.desk3.io and mcp.desk3.io) and produces the described briefings. Declared requirement (node) matches the scripts. No unrelated services or credentials are requested.
- Instruction Scope
- okSKILL.md instructs running included Node scripts. The scripts only perform HTTP GETs to Desk3 endpoints and print formatted output; they do not read local secrets, system files, other config paths, or transmit data to other endpoints. There is no vague, open-ended instruction granting broad access.
- Install Mechanism
- okThere is no install spec (instruction-only skill) and all code is included as .mjs files. No external downloads, installers, or archive extraction are used. Risk is limited to executing included Node scripts which make network requests.
- Credentials
- okThe skill requests no environment variables or credentials and does not access other skills' config. The Desk3 API is documented as public/no-key; requiring no secrets is proportionate to fetching public market data.
- Persistence & Privilege
- okThe skill does not request 'always: true' or any elevated persistence. It does not modify system or other skills' configurations. Autonomous invocation is allowed only by the platform default and is not combined with other red flags.