Skillv1.0.0

ClawScan security

gate-info-trendanalysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 7, 2026, 1:16 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: Instruction-only, read-only technical-analysis skill that uses Gate Info MCP tools and does not request credentials — largely coherent with its stated purpose, but verify publisher/source provenance before installing.
Guidance: What to check before installing: - Functionality: This is instruction-only and read-only — it calls Gate Info MCP tools to fetch market data and assembles a technical analysis report; it does not trade or require secrets. - Provenance: Registry metadata shows Source: unknown and no homepage, while README references Gate's GitHub and Gate.com. If you care about provenance, confirm the publisher/owner and that the README/repo link are authentic before installing. - Runtime rules: The skill instructs the agent to read shared runtime rule files (../gate-runtime-rules.md and ../info-news-runtime-rules.md) and optionally local update scripts in a repository copy. Ensure those shared files and any local scripts in your environment are trusted and reviewed because the agent may consult them at runtime. - Operational requirement: The skill requires the Gate-Info MCP server to be available to function. If your environment does not expose that MCP server, the skill will fail gracefully but should not leak credentials (none are requested). - If unsure: run the skill in a restricted/sandboxed agent, or request the publisher’s canonical repository link and verify owner identity before enabling it in production.

Review Dimensions

Purpose & Capability: okThe skill's name, README, and SKILL.md all describe single-coin technical/trend analysis and list exactly four read-only MCP tools required for that purpose. No credentials, binaries, or config paths are requested, which is proportional to a read-only analysis skill. One minor mismatch: registry metadata lists Source: unknown / no homepage while README claims a Gate GitHub repo and Gate.com publisher — this is a provenance inconsistency to verify.
Instruction Scope: noteSKILL.md confines behavior to fetching K-line, indicator history, technical snapshots, and a market snapshot and assembling a report. It instructs the agent to read shared runtime rule files (../gate-runtime-rules.md and ../info-news-runtime-rules.md) and to follow local maintenance scripts if present; reading those shared rules is expected for Gate skills but means the agent may consult files outside the skill directory at runtime — verify those shared rule files come from a trusted source in your installation.
Install Mechanism: okNo install spec and no code files (instruction-only). This is the lowest-risk install model: nothing is written to disk by the skill itself and no external archives or package downloads are requested.
Credentials: okThe skill requires no environment variables, no credentials, and declares read-only MCP access with 'API Key Required: No'. This is proportionate to the described read-only analysis function.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide privileges or write to other skills' configs. It may be invoked autonomously by the agent when eligible (platform default) but does not escalate privileges itself.