ClawHub
Back to skill
v1.0.1

Mobula - Crypto Prices & Market Data

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:19 AM.

Analysis

This is a read-only Mobula market-data skill; users should mainly notice that it needs a Mobula API key and the docs suggest storing that key in shell configuration.

GuidanceThis skill appears safe for read-only crypto market data. Before installing, be comfortable giving your agent access to a Mobula API key, avoid exposing that key in logs or shared shell config, and do not rely solely on the documentation's VirusTotal/security claims without checking the linked sources if needed.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
README.md
echo 'export MOBULA_API_KEY="your_key"' >> ~/.zshrc
source ~/.zshrc

The README provides user-directed shell commands that modify the user's shell startup file to persist the API key. This is a common setup pattern, not automatic execution, but it changes local configuration.

User impactThe API key may remain stored in plaintext in your shell configuration and could be exposed through backups, dotfile sharing, or local account compromise.
RecommendationOnly run the setup command if you want persistent configuration; consider using a secrets manager or temporary environment variable if you prefer not to store the key in ~/.zshrc.
Human-Agent Trust Exploitation
SeverityInfoConfidenceMediumStatusNote
README.md
✅ **Open source** - [View code on GitHub](https://github.com/Flotapponnier/Crypto-date-openclaw)
✅ **VirusTotal verified** - Benign scan results

The documentation makes trust and safety claims, but the supplied artifacts do not include a VirusTotal report. The repository link may be useful, but the security claim should not be treated as independent proof from the provided artifacts.

User impactYou might place more trust in the skill than the included evidence alone supports.
RecommendationTreat the security badges and claims as informational; review the linked repository or independent scan results if that assurance matters to you.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
requiredEnvVars:
  - MOBULA_API_KEY
...
Authorization: ${MOBULA_API_KEY}

The skill requires a Mobula API key and uses it in the Authorization header. This is expected for a Mobula API integration, but it means a credential is involved even though the registry metadata declares no required env vars or primary credential.

User impactYour agent will need access to a Mobula API key and will send it to Mobula when making market-data requests.
RecommendationUse a dedicated Mobula key with the minimum needed plan/scope, and rotate it if it is exposed.