Skillv3.0.5

ClawScan security

Goldrush Streaming API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 10:49 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are coherent for a streaming blockchain GraphQL client, but there are small mismatches and provenance gaps (no declared API credential, no source/homepage) that warrant caution before use.
Guidance: This skill appears to be a legitimate streaming API client guide, but take these precautions before installing or using it: - Verify source: there is no homepage or source repository in the metadata and the owner ID is opaque. Prefer skills with a verifiable homepage or repo. - Validate the SDK: if you follow the SDK recommendation, inspect the npm package (@covalenthq/client-sdk) on the npm registry and its source code before installing. - Protect your API key: the protocol sends GOLDRUSH_API_KEY in the WebSocket connection_init payload—do not paste a sensitive key into public logs or code without understanding its permissions and billing model. Consider creating a scoped key with limited permissions or a test key. - Check the endpoint: the WebSocket host is wss://streaming.goldrushdata.com/graphql. Confirm this domain is owned by the service you trust before sending credentials. - Ask the publisher: because the skill metadata lacks a homepage/source, ask the publisher for a repository or official docs to confirm authenticity. If you cannot verify the provider, treat API keys and usage as higher risk. If you can verify the upstream SDK and domain, and you supply an API key intentionally, the skill's instructions are otherwise coherent for live blockchain streaming use.

Review Dimensions

Purpose & Capability: okName/description (real-time blockchain GraphQL subscriptions) match the instructions and included endpoint references. The recommended SDK (@covalenthq/client-sdk) and described WebSocket endpoints are consistent with the stated purpose.
Instruction Scope: okSKILL.md stays on-topic: it describes connection setup, subscription queries, SDK usage, and troubleshooting. It does not instruct reading local files, unrelated environment variables, or exfiltrating data beyond the declared streaming endpoint.
Install Mechanism: okNo install spec provided (instruction-only), so nothing is written to disk by the skill itself. It recommends installing an npm SDK, which is a normal developer dependency; the skill does not automatically download or execute remote code.
Credentials: concernThe docs require an API key sent in the WebSocket connection_init payload (GOLDRUSH_API_KEY), but the skill metadata declares no required environment variables or primary credential. The skill will therefore rely on the agent/user to supply an API key at runtime — this mismatch and the lack of declared provenance for the key are noteworthy. Also the metadata lists no homepage/source repository for verification.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated or persistent system privileges. It's instruction-only and does not modify other skills or system-wide settings.