Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mobula - Crypto Prices & Market Data
v1.0.1Real-time token prices, market caps, volume, and analytics across 88+ blockchains. Free tier, no credit card required.
⭐ 0· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is a read-only market-data integration and the runtime instructions require a single API key (MOBULA_API_KEY), which is appropriate for this purpose. However, registry metadata at the top of the submission lists "Required env vars: none" while SKILL.md and README both declare and instruct setting MOBULA_API_KEY — an inconsistency in packaging/metadata that should be resolved.
Instruction Scope
SKILL.md only instructs the agent to call Mobula HTTP endpoints and to use MOBULA_API_KEY in the Authorization header. There are no instructions to read unrelated local files, private keys, or to exfiltrate data. The README suggests persisting the API key in a shell rc file (~/.zshrc) which is a user action to consider (persistence of the key is outside the skill but worth noting).
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write to disk; that is the lowest-risk install mechanism. The README suggests installing via ClawHub or loading the SKILL.md from a GitHub raw URL, which is consistent with an instruction-only skill.
Credentials
Only one credential (MOBULA_API_KEY) is required in the SKILL.md, which is proportionate for a third-party API. The concern is the metadata/registry mismatch (registry claims no required env vars). Also the README suggests adding the key to ~/.zshrc (persistent storage) — acceptable but users should avoid committing keys to source control and be cautious where they persist secrets.
Persistence & Privilege
The skill is not marked always:true and does not request persistent privileged presence or modification of other skills. It is user-invocable and allowed to be invoked autonomously (default), which is normal for skills.
What to consider before installing
This skill appears to do what it says (read-only crypto market data) and only needs an API key, but there are small red flags you should check before installing:
- Confirm the registry metadata: the package metadata provided to the registry says no env vars are required, but the SKILL.md/README require MOBULA_API_KEY. Ask the publisher or registry maintainer to correct the metadata so automatic installation tools know the key is required.
- Verify the publisher and repository: the homepage is mobula.io but the GitHub repo linked in SKILL.md/README (github.com/Flotapponnier/...) may not clearly match the official org. Confirm the repo is legitimate and maintained by the service you trust.
- Treat API keys as sensitive: set MOBULA_API_KEY in your environment, avoid committing it to code or public dotfiles, and consider using a scoped/test key when trying the skill first. If you store it in ~/.zshrc, be aware other processes/users on the machine may read it.
- Limit blast radius: test the skill with a throwaway or low-privilege API key and monitor usage/rate limits. If the service supports key rotation or IP-restriction, enable those protections.
- Privacy & policy: review mobula.io docs/privacy and API docs to confirm the API key only grants read access to public market data and that the provider’s logging/usage policies meet your requirements.
Given the inconsistency in published metadata (missing MOBULA_API_KEY requirement) and the unknowns about repository ownership, proceed cautiously and ask the maintainer/registry to clarify before trusting a production key.Like a lobster shell, security has layers — review code before you run it.
latestvk97788793vr92kq8nxn83tvsj183rn40
License
MIT-0
Free to use, modify, and redistribute. No attribution required.