Back to skill
Skillv1.0.1
ClawScan security
DSCVR Intelligence Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 21, 2026, 10:26 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and SKILL.md require DSCVR API credentials, but the registry metadata does not declare any required environment variables or primary credential — an incoherence that warrants caution before installing.
- Guidance
- Do not install or provide secrets yet — there is a metadata mismatch. The package files and SKILL.md clearly require two secrets (DSCVR_API_KEY and DSCVR_SECRET_KEY), but the registry entry declares none. Before proceeding: 1) Ask the publisher to correct the registry metadata so required env vars/primary credential are declared. 2) Verify the DSCVR API base URL (defaults to https://dscvr.one) is legitimate. 3) If you must test, run the scripts in an isolated environment (container) and use a least-privilege or temporary API key you can revoke. 4) Consider rotating/revoking the key if you already provided it to this skill. If the registry metadata is corrected to explicitly require DSCVR_API_KEY/DSCVR_SECRET_KEY and nothing else, and the seller is trusted, the skill is coherent with its purpose.
Review Dimensions
- Purpose & Capability
- noteThe skill's name, description, SKILL.md, README, and included Python code all consistently implement a DSCVR crypto-intelligence client (HMAC-SHA256 auth, various endpoints). Functionality matches the stated purpose.
- Instruction Scope
- okRuntime instructions are appropriately scoped to calling the DSCVR API via included CLI scripts; they require Python/uv and explicit API credentials and do not attempt to read unrelated system files or other services.
- Install Mechanism
- okThis is instruction-plus-source (no external download URLs). Dependencies are declared inline (PEP 723) and resolved via uv; the only network targets are the DSCVR API base URL. No high-risk install URLs or archives are present.
- Credentials
- concernThe SKILL.md and scripts require DSCVR_API_KEY and DSCVR_SECRET_KEY (and optional DSCVR_API_BASE_URL) — reasonable for the described API client. However, the registry metadata lists no required environment variables or primary credential, which is inconsistent and could mislead permission/secret review. The skill will read secret env vars at runtime and exit if missing.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system configuration, and has no elevated persistence. It only runs on invocation and makes outbound API calls to the configured base URL.