Back to skill
Skillv1.0.3
ClawScan security
trongrid-token-list · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 10:17 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions match its stated purpose (listing and ranking TRON tokens via TronGrid MCP); it requires no installs, credentials, or unrelated access and does not appear to do anything unexpected.
- Guidance
- This skill is internally consistent and low-risk: it only outlines making TronGrid MCP queries to list and rank TRC-20/TRC-10 tokens and requests no credentials or installs. Before installing, confirm that your agent environment allows outbound network calls only to trusted endpoints (TronGrid) and that you will not paste private keys or sensitive credentials into prompts. Note the skill does not provide market price/cap data—if you need prices, use a trusted market-data provider. If the skill later adds an install step or requires an API key, re-evaluate those changes.
Review Dimensions
- Purpose & Capability
- okSkill name/description (token discovery on TRON) aligns with the instructions (calls to TronGrid MCP endpoints like getTrc20Info, getTrc20TokenHolders, getContractTransactions, and TRC-10 pagination). Built-in contract list is reasonable for general queries.
- Instruction Scope
- okSKILL.md instructs only to query TronGrid MCP endpoints and to filter/rank on-chain signals. It does not ask the agent to read local files, request unrelated environment variables, or transmit data to third-party endpoints outside of the expected TronGrid/contextual market-data note. Example workflows are consistent with the stated purpose.
- Install Mechanism
- okNo install spec or code files are present; this is instruction-only, which minimizes on-disk risk. There are no downloads or external installers referenced.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. It does not request secrets or keys in the SKILL.md and relies on public TronGrid MCP calls; the requested access is proportionate to the stated functionality.
- Persistence & Privilege
- okalways:false and no special persistence or system modification is requested. The skill can be invoked normally by the agent and does not request permanent/always-on privileges.