Token Shark
Security checks across malware telemetry and agentic risk
Overview
The skill does not show data theft or trading code, but it appears to present mock token data as real-time investment analysis, which could mislead users.
Only install this as a demo or toy tool unless the author clearly documents and implements real data sources. Do not rely on its prices, risk scores, or investment suggestions for trading, and be cautious about sending crypto sponsorship payments for claimed unlimited queries.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could mistake hardcoded/demo token prices, liquidity, and risk scores for real market intelligence and make poor financial decisions.
The code itself says the token feed is simulated and should actually come from a DEX API, while the skill advertises real-time monitoring, risk scoring, and market analysis.
// 模拟新代币数据 (实际应从 DEX API 获取)
Clearly label all outputs as mock/demo data unless live DEX, on-chain, and contract-analysis sources are actually implemented and disclosed.
The skill may produce confident-looking risk ratings and investment suggestions that are not grounded in actual token safety data.
Risk assessment is based on the last character of the provided address rather than real contract, liquidity, holder, team, or community analysis.
const lastChar = address.slice(-1); ... const isLowRisk = ['0', '1', '2', 'a', 'b', 'c'].includes(lastChar);
Do not present these scores as real risk assessments; either implement verifiable data sources or restrict the skill to demonstration/testing use.
Someone with local file access could see which token alerts the user created.
The alert feature persists token addresses and target prices to a local JSON file.
const ALERTS_FILE = path.join(DATA_DIR, 'alerts.json'); ... fs.writeFileSync(ALERTS_FILE, JSON.stringify(data, null, 2));
Treat alert data as local watchlist information and delete data/alerts.json if you no longer want it retained.