Back to skill
Skillv1.0.3
ClawScan security
gate-info-marketoverview · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 7, 2026, 10:34 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only, read-only market‑overview aggregator that requests no credentials or installs and is internally consistent with its stated purpose, aside from a small wording inconsistency in the tool-count/fallback documentation.
- Guidance
- This skill appears coherent and low-risk: it is read-only, requires no credentials, and only uses documented internal MCP tools. Before installing, confirm: (1) your agent has access to a trusted Gate MCP server and that the MCP endpoints truly require no credentials in your environment; (2) the intended set of MCP calls (5 vs 6) and fallback behavior meet your operational expectations; and (3) you will only invoke this skill for broad market questions (not single-coin analysis)—ambiguity in user prompts can route to the wrong skill. If you need stronger guarantees, review the Gate MCP server's access controls and logs to ensure no unexpected data transmission occurs.
Review Dimensions
- Purpose & Capability
- okName/description (market overview) match the declared behavior: it only calls read-only MCP endpoints for market, rankings, DeFi, macro, and events. No unrelated binaries, credentials, or config paths are requested.
- Instruction Scope
- noteRuntime instructions are narrowly scoped to market‑level queries and explicitly forbid calling undocumented tools or reading secrets. Minor inconsistency: some places say 'call 5 MCP Tools in parallel' while other files/specs refer to 6 feeds and a 'gather all 6 feeds' SOP and fallback to info_marketsnapshot_get_market_snapshot. This is a documentation clarity issue rather than a security red flag, but reviewers should confirm which endpoints are intended to be called in normal vs fallback flows.
- Install Mechanism
- okNo install spec or code files; instruction-only skill (lowest install risk). The skill requires a local Gate MCP server to be available, but does not install anything itself.
- Credentials
- okNo environment variables, secrets, or API keys required. The skill expects read-only access via the host's Gate MCP server (declared as 'API Key Required: No'); operators should verify that the MCP server itself doesn't require undisclosed credentials or introduce additional access requirements.
- Persistence & Privilege
- okalways:false and no special persistence is requested. The skill can be invoked autonomously by the agent (platform default), but this is not combined with elevated privileges or secret access.