ClawHub

mcp-crypto-data

PassAudited by ClawScan on May 10, 2026.

Overview

The included code only fetches read-only crypto data, but the npm package and environment-variable documentation do not fully line up, so verify the package and configuration before installing.

Before installing, verify that @vbotholemu/mcp-crypto-data is the intended npm package, consider pinning an exact version, and set the environment variable the code actually uses, NAUTDEV_BASE_URL, if you need a custom endpoint. The reviewed source is a read-only MCP server that fetches crypto market, fee, and Lightning statistics.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

A future or mismatched npm package version could run different code than the reviewed artifacts.

Why it was flagged

The setup runs a remote npm package without a version pin. The supplied README also references a different package namespace, so users should verify the intended package before running it.

Skill content
"command": "npx", "args": ["-y", "@vbotholemu/mcp-crypto-data"]
Recommendation

Pin the npm package version, verify the package namespace, and reconcile the README, SKILL.md, and package.json names.

Low
#ASI09: Human-Agent Trust Exploitation
What this means

If a user sets only L402_API_BASE_URL as instructed by SKILL.md, requests will still go to the default api.nautdev.com endpoint.

Why it was flagged

The implementation reads NAUTDEV_BASE_URL, while SKILL.md setup and metadata declare L402_API_BASE_URL. This mismatch can mislead users about which endpoint is actually used.

Skill content
const BASE_URL = process.env.NAUTDEV_BASE_URL || "https://api.nautdev.com";
Recommendation

Update the documentation or code so the declared environment variable and the implementation match.

Low
#ASI02: Tool Misuse and Exploitation
What this means

Automated or repeated agent use could consume metered API requests if the service enforces billing or quotas.

Why it was flagged

The README discloses that API requests may be metered. Since MCP tools can be invoked by an agent, users should be aware of possible request volume or cost implications.

Skill content
Requests are metered via L402 micropayments.
Recommendation

Use the tool with reasonable invocation limits and confirm any L402 pricing or quota terms before enabling it for autonomous workflows.