ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Prices in Latam by Criptoya

v1.0.0

Consulta cotizaciones de criptomonedas con CriptoYa por exchange y en forma agregada. Usar cuando el usuario pida "precio BTC en ARS", "cotizacion USDT", "pr...

0· 554·0 current·0 all-time
byFermin Rodriguez Penelas@ferminrp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md explicitly runs curl and pipes to jq (examples and workflow). The registry metadata lists no required binaries. Either the metadata omitted required tools or the instructions assume runtime tools that may not exist. Other requirements (APIs, endpoints) align with the crypto-prices purpose.
Instruction Scope
Instructions are narrowly scoped to calling CriptoYa endpoints, parsing JSON, handling the special-case plain-text "Invalid pair", retrying network calls, and presenting summarized and per-exchange results. The instructions do not request unrelated files, credentials, or system state.
Install Mechanism
No install spec or code is present (instruction-only), so nothing is written to disk. This is the lowest-risk install model and is consistent with the skill being a thin integration.
Credentials
The skill requests no environment variables or credentials and only needs outbound network access to https://criptoya.com. That level of access is proportionate for a public-price-lookup skill.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent privileges. Autonomous invocation is enabled by default but that is normal and not combined here with broad credential access.
What to consider before installing
This skill appears to do what it says: query CriptoYa for prices and fees. Before installing, note two practical issues: (1) the runtime instructions assume curl and jq but the skill metadata does not declare them—confirm the agent environment has those binaries or update the skill to declare/fallback to built-in HTTP/JSON handling; (2) the skill makes outbound requests to https://criptoya.com, so ensure your environment permits external HTTP(S) and you are comfortable with requests/queries leaving your agent. There are no requests for secrets or unrelated system access, and the retry and error-handling behavior is reasonable. If you plan to use this for production or many queries, check rate limits and consider caching to avoid hitting the remote API too frequently.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fcaattpmrzv67c2f8x1r1wx81d0m6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments