Back to skill
Skillv1.0.9
ClawScan security
marsbit-crypto-flash-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 15, 2026, 12:38 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions are consistent with a simple news-fetcher, but the package metadata requests broader agent capabilities (exec, read) that aren't justified by the SKILL.md and raise a privacy/over-privilege concern.
- Guidance
- Before installing: 1) Verify the upstream repository (https://github.com/domilin/marsbit-crypto-news-skill) and confirm the package.json honestly reflects needed capabilities — ask the author why 'exec' and 'read' are declared. 2) Recognize that queries and any user-provided context will be sent to https://www.marsbit.co/api/mcp (privacy risk). 3) If you want minimal risk, restrict the skill from being invoked autonomously or run it in a sandboxed account. 4) If you must install, inspect the repository contents locally for unexpected scripts and prefer the ClawHub install path over manual GitHub installs if you trust ClawHub. If the author cannot justify the extra tool permissions, treat the skill as over-privileged and avoid installing it.
Review Dimensions
- Purpose & Capability
- concernThe SKILL.md and README describe a hosted-MCP news/flash fetcher that only needs outbound HTTP (curl). However package.json declares OpenClaw 'tools' dependencies including 'exec' and 'read' which are not used or documented in the runtime instructions — this grants the skill broader local access than its stated purpose requires.
- Instruction Scope
- okThe runtime instructions are narrowly scoped to making POST requests to the hosted MCP endpoint (https://www.marsbit.co/api/mcp) via curl and parsing returned JSON. They do not instruct reading local files, environment variables, or forwarding data to other endpoints.
- Install Mechanism
- okThe only install action is a brew formula for curl (a well-known package) and optional instructions to clone from GitHub. No arbitrary downloads or extract-from-unknown-URLs are present.
- Credentials
- concernNo environment variables or credentials are requested (good). But package.json's declared tool dependencies ('exec', 'read') are disproportionate: 'read' could allow access to local files and 'exec' to run arbitrary commands, neither of which are required by the SKILL.md. This is an unnecessary escalation of access.
- Persistence & Privilege
- noteThe skill is not always-on and is user-invocable (default). Autonomous invocation is permitted by platform default; combined with the extra 'exec'/'read' tool grants this could increase blast radius. There is no evidence the skill modifies other skills or system-wide settings.