ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cryptowatch

v1.0.2

Cryptowatch integration. Manage Markets, Assets, Exchanges, Pairs, Streams. Use when the user wants to interact with Cryptowatch data.

0· 87·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md describes using the Membrane CLI to access Cryptowatch. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Instructions are limited to installing and using the Membrane CLI, creating/listing connections, running actions, and proxying API requests. The doc does not instruct reading arbitrary local files or exfiltrating secrets; it explicitly advises against asking users for API keys.
Install Mechanism
This is an instruction-only skill (no install spec). The SKILL.md directs users to install a global npm package (@membranehq/cli). Installing a public npm package is expected for this flow, but users should verify the package (publisher, npm page, repo) before running global installs.
Credentials
The skill declares no required environment variables or credentials. It requires a Membrane account (delegates auth to Membrane), which is proportionate to the advertised behavior.
Persistence & Privilege
Skill does not request always:true, does not modify other skills, and does not claim persistent system-wide privileges. Autonomous invocation is allowed (platform default) but not combined with other red flags.
Assessment
This skill appears internally consistent: it delegates Cryptowatch access to the Membrane service and instructs you to use the @membranehq/cli. Before installing or running the CLI, confirm you trust Membrane: check the npm package page and repository, review permissions, and prefer installing in a controlled environment (or use a local install) rather than a global npm install if you want to limit system-wide changes. Remember that using this skill delegates your Cryptowatch auth to Membrane—only proceed if you accept that trust model and have reviewed Membrane's security/privacy terms.

Like a lobster shell, security has layers — review code before you run it.

latestvk979cqq0hwzecvq9jrpwvx3mqn84230k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments