Skillv1.0.1

ClawScan security

Nft Floor Price Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 3:01 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (monitor NFT floors and send Discord webhook alerts); nothing obviously malicious, but there are some minor inconsistencies you should be aware of before installing.
Guidance: This skill appears to do what it says: fetch NFT floor prices and optionally send a Discord webhook. Before installing, consider the following: (1) Ensure the runtime has Python 3 and the requests library available (the package.json is an npm-style file listing a Python dependency, so installation is manual). (2) Only provide a Discord webhook URL you control; treat webhooks as secrets because they allow posting into your Discord. (3) If you want to use authenticated OpenSea endpoints, supply OPENSEA_API_KEY only if you trust the skill. (4) Review the included scripts locally if you have any doubt; the code posts only to the webhook URL you supply and queries public APIs. If you need higher assurance, ask the author for a proper install spec (pip requirements or a setup instruction) and clarification about the package.json mismatch.

Review Dimensions

Purpose & Capability: okName/description (NFT floor monitoring + Discord alerts) align with the included Python script: it queries OpenSea/CoinGecko endpoints and can post to a Discord webhook. The optional OPENSEA_API_KEY and DISCORD_WEBHOOK_URL environment variables are relevant to the stated features.
Instruction Scope: okSKILL.md instructs only to query public APIs (OpenSea, CoinGecko) and optionally send alerts to a Discord webhook. The runtime instructions do not request unrelated files, system credentials, or external endpoints beyond the described APIs and webhook. The compare mode prompts the user for collection slugs when needed.
Install Mechanism: noteThere is no install spec (instruction-only) which minimizes installation risk. However, the package.json lists a dependency named "requests" (a Python library) under an npm-style manifest — this is inconsistent (node package manifest pointing to a Python dependency). It likely means the runtime must have Python and the requests package installed, but there is no automated install step. This is a usability/incoherence issue rather than direct maliciousness.
Credentials: okRequested environment variables (DISCORD_WEBHOOK_URL and optionally OPENSEA_API_KEY used in code) are appropriate for the functionality. The skill does not request unrelated credentials or secret stores. No unexpected env vars are referenced in the visible code.
Persistence & Privilege: okThe skill does not request always: true, does not modify other skills, and has no install actions that change system-wide agent settings. Autonomous invocation is allowed by default but not combined with other red flags.