Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
GMGN Skill Track
v1.2.8Get real-time crypto buy/sell activity from Smart Money wallets, KOL influencer wallets, and personally followed wallets via GMGN API — alpha signals, whale...
⭐ 1· 134·0 current·0 all-time
by@gmgnai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill description (real‑time on‑chain tracking via GMGN API) matches the SKILL.md guidance to use gmgn-cli and the GMGN API, so purpose vs capability is generally coherent. However, the registry metadata declares no required credentials or config paths while the instructions explicitly require GMGN_API_KEY in ~/.config/gmgn/.env — an omission in metadata that reduces transparency.
Instruction Scope
SKILL.md is prescriptive about using gmgn-cli only (no webfetch/curl) and details how to parse responses and rate‑limit headers (expected). But it also instructs the agent to run local network probing commands (ifconfig/ip addr) to check IPv6 and to perform an external test request to ipv6.icanhazip.com. Asking the agent to inspect local network interfaces and run outbound tests is outside purely 'fetch API data' work and should be explicitly declared/justified; it's relevant for a connectivity troubleshooting step but increases the surface of local system access.
Install Mechanism
There is no declared install spec in the registry, but SKILL.md tells users to install gmgn-cli with 'npm install -g gmgn-cli' if missing. Instructing global npm installs is a moderate risk (third‑party code executed on the host). The absence of a declared, verifiable install source (homepage, GitHub release, or package origin) makes it harder to audit the package before installation.
Credentials
The registry lists no required env vars or config paths, yet SKILL.md requires a GMGN_API_KEY stored in ~/.config/gmgn/.env and indicates user-specific follow lists are resolved from that account. Requiring a single API key is reasonable for this purpose, but failing to declare it (and the config path) is a transparency issue. Also note the skill's 'follow-wallet' subcommand accesses user-specific account data via that key — appropriate for the feature but sensitive and should be declared.
Persistence & Privilege
The skill has no 'always' privilege and is user‑invocable with autonomous invocation allowed (platform default). It does not request to modify other skills or system configuration permanently. The main persistence concern is the implicit installation of a global npm package, which is normal but should be reviewed prior to install.
What to consider before installing
This skill appears to do what it says (uses a GMGN CLI to fetch on‑chain 'follow', 'kol', and 'smartmoney' signals), but the registry metadata omits an important detail: SKILL.md requires a GMGN_API_KEY stored at ~/.config/gmgn/.env and may ask you to install a third‑party npm package (gmgn-cli). Before installing or running it: (1) verify the provenance of gmgn-cli (check the npm package page or source repo; avoid installing global packages from unknown authors); (2) confirm you are comfortable storing your GMGN_API_KEY on the host and that the key's permissions are limited; (3) prefer installing/testing the CLI in an isolated environment (container or VM) first; (4) ask the skill author/registry to update metadata to declare the required env var and config path and to provide a homepage/source link for auditability. If you do not trust the npm package or cannot verify GMGN's site/package, treat this as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk972xkxsfrs6cs3jp0j00vm8x184xpmk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.