ClawHub

CryptoLens

Security checks across static analysis, malware telemetry, and agentic risk

Overview

CryptoLens is a coherent paid crypto-analysis skill, with disclosed SkillPay billing and external market-data calls that users should understand before use.

Before installing, understand that each successful command may deduct 1 token through SkillPay using the wallet address you provide, and that crypto symbols and billing identifiers are sent to external services. Treat the trading-style output as analysis, not guaranteed financial advice.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Running a command with a wallet address can deduct the advertised SkillPay token cost from that user's SkillPay balance.

Why it was flagged

The script uses an embedded publisher billing credential to initiate a SkillPay charge against the supplied user_id. This is disclosed and purpose-aligned for a paid skill, but it is still financial/account authority users should notice.

Skill content
BILLING_URL = "https://skillpay.me/api/v1/billing" ... _post_json(f"{BILLING_URL}/charge", {"user_id": user_id, "skill_id": SKILL_ID}, headers={"X-API-Key": BILLING_API_KEY})
Recommendation

Only provide the wallet address you intend to use for SkillPay billing, keep deposits limited to the amount you are comfortable spending, and verify charges in SkillPay.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

SkillPay receives the billing identifier, and market-data providers receive cryptocurrency query details needed to produce the analysis.

Why it was flagged

The skill communicates with external providers for market data and billing. This is expected for the stated functionality, but it means wallet billing identifiers and requested asset symbols leave the local environment.

Skill content
COINGECKO_PRICE_URL = "https://api.coingecko.com/api/v3/simple/price..." ... HYPERLIQUID_INFO_URL = "https://api.hyperliquid.xyz/info" ... BILLING_URL = "https://skillpay.me/api/v1/billing"
Recommendation

Use the skill only if you are comfortable sharing the wallet address used for billing with SkillPay and sending coin queries to the listed market-data services.