Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Meme Scanner
v2.0.0基于 GMGN 官方 API 的 Meme 币扫链工具。自动扫描热门代币,进行 AI 评分与风险分析,并推送格式化通知。完全使用 GMGN API,数据准确可靠。
⭐ 0· 397·2 current·3 all-time
by0xshahai@hanguang254
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be 'fully using GMGN official API' (v2) and the v2 script does call GMGN endpoints via CDP which is coherent. However the package contains an older v1 script that still calls Ave.ai and includes a hard-coded AVE_API_KEY constant. The registry metadata declares no required env vars or binaries, but the runtime actually requires a Chrome instance with remote debugging/extension (CDP). These mismatches (leftover Ave.ai usage and undeclared Chrome CDP requirement) are inconsistent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent/user to start Chrome with remote debugging on port 9222 and connect OpenClaw to it (CDP) to bypass Cloudflare. The scripts then use the CDP to execute fetch() in the browser context. Requiring the user to run a remote browser and enabling CDP is a material runtime requirement that is not represented in metadata. The SKILL.md also references another skill's documentation (Token Analyzer) for setup, creating external dependencies and scope creep.
Install Mechanism
There is no install spec (instruction-only), which minimizes automated installation risk. However, the package does include two Python scripts that will be executed by the user/agent and require Python packages (websockets, aiohttp). SKILL.md mentions websockets but there is no explicit dependency installation step. The absence of an install step plus embedded scripts means a user/agent could run code without an explicit, auditable install process.
Credentials
Registry metadata declares no required environment variables, yet scripts contain a hard-coded AVE_API_KEY and AVE_API_BASE in the v1 script. Embedding a third‑party API key in the repository is unexpected and unnecessary for the v2 'GMGN-only' claim — this is an unexplained credential leak/leftover. The scripts also write to /root/.openclaw/workspace/scanned_tokens.json (workspace file) — that file access is reasonable for scan state but is a persistent local artifact to be aware of.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It reads and writes a single workspace file for scanned token state, which is proportional for its functionality. Agent autonomy (disable-model-invocation=false) is the platform default and not flagged here.
What to consider before installing
This skill appears to implement the advertised GMGN-based scanner, but contains an older v1 script that still includes a hard-coded Ave.ai API key and calls Ave.ai endpoints — despite SKILL.md claiming Ave.ai was removed. Before installing: 1) Ask the publisher why the v1 file and embedded AVE_API_KEY are present; remove or sanitize any embedded keys. 2) Only run this skill in an isolated environment (or sandbox/VM) because it asks you to start Chrome with remote debugging (ws://localhost:9222), which can expose your browser to remote commands. 3) Review and, if appropriate, delete the v1 script (or confirm its intended use). 4) Ensure required Python deps (websockets, aiohttp) are installed intentionally and verify the scripts’ network targets (gmgn.ai and, if v1 remains, ave-api.com). 5) If you don't trust the source or cannot confirm the Ave.ai key is expendable, do not install or run it. If you want higher confidence, request a clean release that only includes the v2 script, documents the Chrome/CDP requirement in metadata, and does not contain embedded secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk972grwmce1spe9tyn3vrhv6th82btdw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.