Indexy
Analysis
Indexy is a coherent instruction-only API skill for managing crypto indices, but it uses account/Web3 authentication and can create or rebalance remote indices, so users should confirm write actions.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
**Tool:** `update_index` ... **Endpoint:** `PATCH /beta/indexes/agent/{indexId}` ... "Full rebalance ... replaces the entire asset composition"The skill documents authenticated write operations that can materially change a user's remote crypto index composition. This is aligned with the skill's stated purpose, but users should notice that updates are not read-only.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Include your API key as a Bearer token... `Authorization: Bearer agent_your_key_here` ... "Web3 Authentication" ... `x-web3-signature`
The skill requires service credentials or Web3 signatures to authenticate to Indexy. This is expected for account-specific index management and is disclosed in the instructions.