加密货币与贵金属监控
Security checks across malware telemetry and agentic risk
Overview
The skill appears to do what it says: fetch public crypto, metals, and exchange-rate prices, then cache them locally without using credentials or private user data.
This skill looks benign for monitoring public crypto, precious-metals, and exchange-rate prices. Be aware that it contacts third-party market-data APIs and writes local cache files under /tmp/crypto-monitor; it does not show trading, account access, credential use, or private-data collection.
VirusTotal
59/59 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may fail or behave inconsistently if those tools are not installed, but this does not indicate hidden or malicious behavior.
The registry metadata does not declare runtime tool requirements, while the included shell script uses local commands such as curl, python3, bc, stat, date, and grep.
Required binaries (all must exist): none; Install specifications: No install spec
Before using it, make sure the expected command is installed and that common tools like curl, python3, and bc are available.
Using the skill will contact third-party price-data services and disclose normal request metadata such as IP address and timing to those services.
The script makes outbound API calls to retrieve market and exchange-rate data. This is expected for the stated monitoring purpose and does not include private user data or credentials.
curl -s --connect-timeout 3 "https://api.coingecko.com/api/v3/simple/price?..."; curl -s --connect-timeout 3 "https://api.exchangerate-api.com/v4/latest/USD"; curl -s --connect-timeout 3 "https://www.goldapi.io/api/XAU/USD"
Use it only if you are comfortable with these public market-data APIs being contacted when price commands are run.
Local cache files may persist temporarily on the machine, but they do not contain account credentials or private user documents in the provided artifacts.
The script stores cached market data and metals history in a predictable temporary directory. The stored data appears limited to public price values and timestamps.
local cache_file="/tmp/crypto-monitor/prices.json"; local history_file="/tmp/crypto-monitor/metals_history.json"; echo "{\"gold\":$gold,\"silver\":$silver,\"timestamp\":$now}" > "$history_file"If desired, clear /tmp/crypto-monitor to remove cached price data.