Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims on-chain + technical indicator trading signals and 24/7 automation, but the manifest only requires the curl binary and declares a 'primaryEnv' of 'bash' (which is not a typical environment variable/credential). There is no explanation why curl is required or why 'bash' is declared as a credential. These mismatches are not proportional to the stated purpose and suggest sloppy or misleading metadata.
Instruction Scope
SKILL.md contains marketing claims (pricing, expected returns, 24x7 operation) and an example install command, but provides no runtime instructions, no commands to run, no endpoints to contact, and no configuration or credential guidance. The instructions are vague and do not enable the claimed continuous automation; that lack of concrete scope gives the implementer broad discretion and is concerning.
Install Mechanism
There is no install spec and no code files to be written or executed by the installer (instruction-only). That minimises direct install risk. However, the README references 'clawhub install' which could pull additional artifacts elsewhere — this skill bundle itself has no install payload.
Credentials
requires.env is empty (no secrets requested), yet primaryEnv is set to 'bash' (not an environment variable name) which is incoherent. The only declared runtime dependency is curl, but SKILL.md never uses it or explains why network access or specific credentials would be needed. This inconsistency could hide later requirements during a separate install step.
Persistence & Privilege
The skill is not always-enabled and is user-invocable with normal autonomous invocation allowed. It does not request persistent system-wide privileges or configuration changes in the provided files.
Scan Findings in Context
[no_code_files_found] expected: The regex-based scanner found no code to analyze because this is an instruction-only skill. Absence of findings is expected but does not imply the skill is safe or fully described.
What to consider before installing
The skill's metadata and README are inconsistent and lack operational detail. Before installing or paying: (1) ask the publisher for the actual install package or source code and a list of endpoints the skill will contact, (2) request a clear setup guide showing how 24/7 automation is achieved and what credentials (if any) are required, (3) verify why 'curl' is needed and where network requests go, and (4) run any untrusted package only in an isolated/sandbox environment and consider asking for an independent code audit. If the seller cannot provide clear, auditable details, treat the offering as risky.Like a lobster shell, security has layers — review code before you run it.
latestvk972ey8gf71hekz0zgq5vr4scn83e1nz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binscurl
Primary envbash