Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mobula - Wallet Portfolio & Transactions
v1.0.0Track wallet portfolios and transaction history across 88+ blockchains. Monitor holdings, analyze trades, and follow whale wallets.
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (wallet portfolio and transactions) align with the API endpoints documented in SKILL.md. Requesting an API key for Mobula is proportionate to the stated purpose. However, the registry metadata earlier in the package lists no required environment variables while SKILL.md declares MOBULA_API_KEY as required — an inconsistency in the skill metadata.
Instruction Scope
SKILL.md explicitly instructs the agent to send wallet addresses and queries to Mobula's API (expected). It also includes patterns that imply persistent monitoring ('store previous values', 'Monitor 24/7', 'alert me on Telegram'), but it does not specify where data should be stored or how alerts will be delivered (no storage backend or Telegram credentials are declared). That ambiguity grants broad discretion to the agent and could lead to unintended data persistence or use of other connectors.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes installation risk — nothing is downloaded or executed on install.
Credentials
SKILL.md requires a single API key (MOBULA_API_KEY), which is appropriate for the API usage described. The concern is the mismatch between SKILL.md (which declares the env var) and the registry's top-level requirements (which list no env vars). Users should confirm that the platform will prompt for or protect the API key and that the skill metadata is corrected. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true or any elevated platform privileges and will not be force-included. However, several documented use-cases imply persistent monitoring and storage (daily summaries, change detection). Because the SKILL.md does not specify where data is stored or how long, users should verify how the agent will persist state before enabling continuous monitoring.
Scan Findings in Context
[NO_CODE_FILES] expected: The regex/static scanner had no code files to analyze because this is an instruction-only skill (SKILL.md + README). That reduces static-analysis signal but does not imply safety; runtime behavior is driven by the instructions.
What to consider before installing
This skill appears to be a read-only wallet analytics integration and legitimately needs a Mobula API key — but two things to check before installing: (1) confirm the registry metadata is updated to declare MOBULA_API_KEY (the SKILL.md requires it but top-level metadata omitted it), and (2) decide where monitoring state and alerts will be stored/sent. Use a separate, limited Mobula API key for the agent (avoid reusing high‑privilege keys), avoid querying wallets you consider private, review Mobula's privacy policy, and review the referenced GitHub repo to verify no unexpected behavior. If you plan to use continuous monitoring or alerts (Telegram or other channels), verify what additional credentials will be required and how they will be protected. If the maintainer can clarify the metadata and persistence/alerting mechanics, my confidence would increase.Like a lobster shell, security has layers — review code before you run it.
latestvk97c1s4azdnp37e47nsdwsqsmn83jp62
License
MIT-0
Free to use, modify, and redistribute. No attribution required.