Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
GMGN Skill Market
v1.2.7Get crypto and meme token price charts (K-line, candlestick, OHLCV), trending meme coin rankings by volume, and newly launched tokens on launchpads (pump.fun...
⭐ 1· 142·0 current·0 all-time
by@gmgnai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly targets market data (kline, trending, trenches) and expects gmgn-cli to access GMGN API — that purpose is coherent. However, the registry metadata lists no required environment variables or config paths while the instructions explicitly require GMGN_API_KEY in ~/.config/gmgn/.env and a gmgn-cli installation. The missing declaration is a meaningful mismatch.
Instruction Scope
Runtime instructions tell the agent to use gmgn-cli and to run local diagnostics (ifconfig/ip addr) and an external probe (https://ipv6.icanhazip.com) for IPv6 troubleshooting. Asking to run local network commands and to rely on a local config file (~/.config/gmgn/.env) is within troubleshooting scope but broadens the agent's system access; the SKILL.md implicitly expects reading/storing a sensitive API key which is not declared in metadata.
Install Mechanism
There is no install spec in the registry, but SKILL.md instructs users to run `npm install -g gmgn-cli`. Installing an npm package is a reasonable way to provide the CLI, but it is not automated nor vetted by the registry. This places trust in an external npm package (moderate risk); the registry should declare the install requirement or provide a verified install source.
Credentials
The skill requires an API key (GMGN_API_KEY stored in ~/.config/gmgn/.env) for normal operation according to SKILL.md, yet the registry metadata lists zero required env vars and no config paths. Requiring a sensitive credential but not declaring it is disproportionate and an incoherence that reduces transparency.
Persistence & Privilege
The skill is instruction-only, has no install spec in the registry, does not set always:true, and does not request system-wide changes. It can be invoked autonomously (default) which is normal for skills; there is no evidence it modifies other skills or global agent settings.
What to consider before installing
This skill appears to be a CLI wrapper for GMGN market data and is plausible for the stated purpose, but the SKILL.md requires you to have gmgn-cli installed and an API key stored in ~/.config/gmgn/.env — none of which the registry metadata declares. Before installing or enabling: 1) confirm the gmgn-cli npm package source and review its code or readme (you will install code from npm if you follow the SKILL.md); 2) verify how/where the GMGN_API_KEY is stored and whether you trust giving that key to the CLI (don’t paste secrets into untrusted packages); 3) ask the publisher to update registry metadata to list the required env var and config path and to provide an explicit, verifiable install spec; 4) be aware the skill’s runtime instructions include local network diagnostic commands (ifconfig/ip) and an external IPv6 probe (ipv6.icanhazip.com) — these are for troubleshooting but will cause outbound network activity. If you are not comfortable with these gaps or with installing an npm package from an unknown publisher, do not enable the skill until the author provides clearer metadata and a trusted install source.Like a lobster shell, security has layers — review code before you run it.
latestvk97dd73e2rdhtegf8tqwxxeyp584wh05
License
MIT-0
Free to use, modify, and redistribute. No attribution required.