Skillv1.0.5

ClawScan security

hyperbot-quote-mcp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 6:56 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (connecting to a remote MCP server to provide crypto analytics) but relies on remote services and recommends installing npm tools, so you should verify the remote host and packages before use.
Guidance: This skill appears to do what it says (connect to a remote MCP server and provide crypto analytics), but exercise caution before installing or using it: 1) Verify the remote domain (mcp.hyperbot.network) and the reputation of the Hyperbot service — do not send private keys or secrets. 2) Inspect any npm packages you are asked to run or install (mcp-remote, mcporter) — prefer using npx for one-off runs and check the package source and version on the npm registry or GitHub. 3) Back up config files before editing (~/.cursor/mcp.json, Claude/OpenClaw config). 4) Be mindful that sending wallet addresses, trade history, or strategy data to the remote server may disclose sensitive trading information. If you cannot verify the server or packages, refrain from installing and consider requesting an official integration or more information from the skill author.

Review Dimensions

Purpose & Capability: okName/description (crypto analytics, smart money/whale tracking) matches the SKILL.md: it documents MCP tools, endpoints, and analysis prompts that are directly relevant to that purpose.
Instruction Scope: okInstructions stay within expected scope: configuring an MCP client, calling named tools (fetch_leader_board, get_whale_positions, etc.), and analyzing returned market/trader data. The SKILL.md does not instruct reading unrelated system files or exfiltrating secrets, but it does show where to add client config files (e.g., ~/.cursor/mcp.json).
Install Mechanism: noteThis is an instruction-only skill (no install spec), but it recommends running npm tooling (npx mcp-remote, npm install -g mcporter). Those commands will fetch and run remote packages, which is normal for tying into MCP clients but carries the usual supply-chain risk — verify the package names and sources before running them.
Credentials: okThe skill requests no environment variables, no credentials, and declares read-only data usage. It does not ask for private keys or unrelated cloud credentials. Note: queries may include wallet addresses or trade history which are user-supplied and potentially sensitive.
Persistence & Privilege: okThe skill does not request 'always: true' or other elevated platform privileges. It suggests adding entries to local MCP client config files (typical for connecting tools) but does not modify other skills or system-wide settings beyond that.