Back to skill
Skillv1.0.2
ClawScan security
Binance Signal Engine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 12:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its description: it fetches public market OHLCV via ccxt and runs local technical-analysis code without requesting credentials or unusual system access.
- Guidance
- This skill appears to be a read-only technical-analysis tool that fetches public OHLCV data via ccxt and computes signals locally. Before installing: (1) confirm you are comfortable installing Python packages (ccxt, pandas, numpy, ta) from PyPI; (2) do NOT provide exchange API keys to the skill unless you review the code paths that would send them to ccxt—by default the tool claims to use only public data and needs no keys; (3) review or run the included script locally first to verify behavior and logging (debug mode may print details); (4) if you plan to integrate it into an automated agent, remember it can make outbound network calls to exchanges for market data—ensure that is acceptable in your environment.
Review Dimensions
- Purpose & Capability
- okName/description (multi-timeframe TA for Binance) aligns with requirements and code: it needs python and ccxt/pandas/ta to fetch public OHLCV and compute indicators. No unrelated binaries, credentials, or config paths are requested.
- Instruction Scope
- okSKILL.md instructs running the included Python script to fetch market data, compute indicators, and emit JSON/human summaries. Instructions do not ask the agent to read unrelated files, export secrets, or call unexpected endpoints; exchange access is limited to public market data via ccxt.
- Install Mechanism
- noteInstall spec pulls Python packages (ccxt, pandas, numpy, ta) from the package ecosystem (pip). This is standard for Python tools but carries the usual supply-chain risk of installing PyPI packages; there are no downloads from arbitrary URLs or extract steps in the spec.
- Credentials
- okNo environment variables, API keys, or config paths are required. The code and docs explicitly state it uses public OHLCV only and does not perform trading or require user credentials, so requested environment access is proportionate.
- Persistence & Privilege
- okThe skill is not always-enabled and uses normal agent invocation. It does not request elevated persistent privileges or modify other skills or system-wide agent settings.