AVE Cloud Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a read-only AVE Cloud crypto data client, but users should notice the API-key requirement, optional live WebSocket modes, and some packaging/documentation inconsistencies.
Before installing, make sure you trust AVE Cloud with the AVE_API_KEY, verify the correct script name to run, consider pinning dependencies if installing locally or via Docker, and stop any WebSocket stream or container when you are done.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill consumes or exposes access to the user's AVE Cloud API entitlement for the requested queries.
The skill sends the configured AVE_API_KEY as the authentication header for AVE Cloud API calls. This is expected for the stated integration, but it gives the skill access to the user's AVE account quota.
return {"X-API-KEY": get_api_key(), "Content-Type": "application/json"}Use a provider-scoped API key, avoid sharing the environment variable broadly, and rotate the key if it is exposed.
The agent or user may try to run a missing or different file than the one documented, causing confusion or failed execution.
The supplied manifest lists `scripts/ave_data_rest.py` and `scripts/ave_data_wss.py`, not `scripts/ave_client.py`, so the documented entry point does not match the packaged files.
The script is at `scripts/ave_client.py` relative to the skill root.
Confirm the intended command entry point before use and update the documentation or manifest so the referenced script matches the packaged code.
A future dependency release could change behavior or introduce a supply-chain issue even if the current artifacts are benign.
The optional Python dependencies use lower-bound version ranges rather than exact pins, which is common but means future installs can resolve to different package versions.
requests>=2.28.0 requests-ratelimiter>=0.4.0 websocket-client>=1.6.0
For repeatable or higher-trust use, pin exact dependency versions and review the packages before installation.
Live streams can continue using network resources and API quota until the process or container is stopped.
The WebSocket modes keep a live connection open for streaming data. This is disclosed and purpose-aligned for pro-plan real-time monitoring, but it is long-running behavior.
ws.run_forever(ping_interval=30, ping_timeout=10)
Run WebSocket modes only when live monitoring is needed, and stop the process or Docker container when finished.