ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bitcoin Market Intelligence

v3.0.0

The only Bitcoin intelligence agent that pays for its own data with sats. Serves live price, Fear & Greed, mempool fees, ETF flows, on-chain metrics, and pre...

0· 466·0 current·0 all-time
by@fr0zen80
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: the skill is an instruction-only connector to a paid Bitcoin data service over L402/Lightning. Required tools (lnget, an LND node, Tor) are appropriate for that purpose. However the SKILL claims 'open source' and 'VirusTotal clean' but provides no repository or verifiable provenance link.
!
Instruction Scope
SKILL.md tells the agent to call a hard-coded .onion API via lnget, which will cause the user's Lightning stack to pay invoices. While this is expected for a paid Lightning API, the instructions do not describe where lnget will read macaroons/certs (local LND auth material) or how to audit the responses — so the agent will by design cause outbound payments and transmit network requests to an opaque remote service.
Install Mechanism
Instruction-only skill with no install spec or downloaded code — low disk/installation risk. It relies on existing tools (lnget, Tor, LND) instead of installing new binaries.
Credentials
No environment variables or external credentials are requested in metadata, which is consistent. However operation implicitly requires access to a funded LND node and its auth artifacts (macaroon/TLS cert) and will spend sats; these are sensitive and proportionate to the stated paid-data use but should be treated as high-impact.
Persistence & Privilege
Skill is not always-enabled and does not request system-wide persistence or to modify other skills. It does allow autonomous invocation by default (platform normal), so an agent could trigger payments unless you restrict invocation.
What to consider before installing
This skill is basically a pointer to a paid Lightning-based data service rather than local code. Before installing: 1) Verify provenance — ask for the project's source repo or a trusted maintainer identity (SKILL claims 'open source' but gives no link). 2) Understand cost/risk — using it will cause your agent (or the host) to pay Lightning invoices from your LND wallet; start with tiny test payments and limit agent autonomy. 3) Inspect lnget/LND configuration — know where macaroons and certs live and which wallet/channel will be charged. 4) Treat the hard-coded .onion endpoint as untrusted until you can verify it (it could be any remote operator). 5) If you want to avoid unexpected spending, disable autonomous invocation for this skill or require explicit user confirmation before each call.

Like a lobster shell, security has layers — review code before you run it.

apivk973q2k14tpsady10kp82p3zyn822734bitcoinvk973q2k14tpsady10kp82p3zyn822734l402vk973q2k14tpsady10kp82p3zyn822734latestvk97axm7j7aaq6q9era8n3mqsrd82xnbflightningvk973q2k14tpsady10kp82p3zyn822734market-intelligencevk973q2k14tpsady10kp82p3zyn822734

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments