Airdrop Shark
Security checks across malware telemetry and agentic risk
Overview
The skill does not appear to access wallets or send data, but its eligibility checker is hard-coded/simulated while being presented as user-specific and it solicits crypto sponsorship.
Install only if you understand that the current eligibility checks appear to be simulated/static rather than real wallet analysis. Do not pay for an unlock or act on eligibility results unless the maintainer clearly documents and implements real read-only checks, and verify the skill's source because the metadata links are inconsistent.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could believe the tool checked their actual wallet eligibility when it only returned canned results, which is risky in a crypto/airdrop context.
The eligibility checker is explicitly simulated and uses a hard-coded/example address, while the skill presents eligibility checking as if it can evaluate a user's address.
// 简化的资格检查 (模拟数据,实际应查询链上数据)
function checkEligibility(project, address = null) {
const defaultAddress = '0x33f9...5ad9';Clearly label the eligibility output as demo data, implement real read-only address parsing/checking if claimed, or remove user-specific eligibility claims until they are supported.
A user might pay for an unlock that is not clearly implemented, especially after seeing simulated eligibility outputs.
The README advertises a paid unlimited-query unlock via crypto payment, but the provided scripts do not show a corresponding rate-limit or unlock mechanism.
**赞助解锁**: 0.5 USDT/USDC → 无限查询 **赞助地址**: - USDT (ERC20): `0x33f943e71c7b7c4e88802a68e62cca91dab65ad9` - USDC (ERC20): `0xcb5173e3f5c2e32265fbbcaec8d26d49bf290e44`
Do not present paid unlock claims unless the unlock behavior is implemented and clearly explained; otherwise describe the addresses only as optional donations.
Users may have more difficulty confirming they are installing the intended skill from the intended maintainer.
The package name and linked repository/homepage use different airdrop-shark vs airdrop-alert identifiers, which makes provenance harder to verify.
"name": "airdrop-shark" ... "repository": { "url": "https://github.com/gztanht/airdrop-alert" },
"homepage": "https://clawhub.com/skills/airdrop-alert"Verify the publisher and repository manually, and the maintainer should align the registry, package, repository, and homepage metadata.
Project names and reminder dates entered by the user remain on disk until removed.
The reminder feature persists user-created reminder data in a local JSON file.
const REMINDERS_FILE = path.join(DATA_DIR, 'reminders.json'); ... fs.writeFileSync(REMINDERS_FILE, JSON.stringify(data, null, 2));
Use the remove command for reminders you no longer want, and avoid storing sensitive notes in reminder project names.