Skillv2.0.1

ClawScan security

CryptoLens · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 5, 2026, 5:03 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and network calls are consistent with a paid crypto-analysis tool; the only notable concern is an embedded SkillPay API key in the script (documented in SKILL.md) which you should understand before using.
Guidance: This skill appears to do what it says: fetch market data, compute indicators, and generate charts. Before installing, be aware that (1) the script embeds a publisher SkillPay API key and Skill ID — this is required for the skill to create billing charges for a provided wallet address, but the key is in cleartext in the code, so only install if you trust the publisher; (2) you should never provide private keys or secrets — the skill only needs a public wallet address for billing; (3) inspect the full script yourself (the provided file was truncated) or run it in a sandbox if you want to verify there are no hidden endpoints or behaviors; and (4) review SkillPay.me's terms and the payment flow described in SKILL.md so you understand whether charges require your explicit on-chain approval (as claimed). If you don't trust the publisher or the embedded key, do not install or run the skill.

Purpose & Capability: okName/description (multi-coin comparison, indicators, scoring) match the bundled Python script and its use of CoinGecko/Hyperliquid data sources and charting libraries. Requiring python3 and numpy/matplotlib is proportionate.
Instruction Scope: okSKILL.md directs the agent to run the included script with a user wallet id and to return generated charts via a MEDIA: <path> line. The runtime instructions and the script operate on market APIs and /tmp caches only — they do not request unrelated files, local credentials, or broad system access.
Install Mechanism: okThere is no download/install step beyond using the provided Python script and the small requirements.txt (matplotlib, numpy). No third-party archives or unusual install locations are used.
Credentials: noteThe skill does not request environment variables or user secrets, but the Python script contains an embedded SkillPay API key and Skill ID (documented in SKILL.md as 'embedded'). Embedding a publisher billing key is consistent with a paid skill, but it means the key is present in distributed code and could be inspected or reused if exposed. SKILL.md also requires the user to provide a BNB wallet address (--user-id) for billing; the script does not ask for private keys.
Persistence & Privilege: okThe skill is not forced-always, does not modify other skills, and only writes transient cache files to /tmp. It does not request elevated or persistent system privileges.