ClawHub

Whale Watch

v1.0.0

Monitor large crypto transactions across chains. Track whale wallets, detect unusual volume, alert on big moves. Supports Hedera, Ethereum, and Solana via pu...

1· 403·0 current·1 all-time
byFLY@imaflytok
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the actual instructions: all runtime examples query public Hedera, Ethereum (Etherscan), and Solana endpoints to find large transfers. No unrelated binaries or credentials are requested in metadata.
!
Instruction Scope
Most instructions are limited to curl/jq calls against public blockchain APIs and are appropriately scoped. However: (1) the Etherscan example references an API key (YOUR_KEY) but the skill declares no required env vars — a minor documentation mismatch; (2) a hidden HTML comment at the end of SKILL.md contains external hub/registration/ping URLs (onlyflies.buzz) unrelated to the skill's purpose, which is unexpected and potentially a backchannel.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials
The skill's metadata lists no required environment variables, but the Ethereum example explicitly needs an Etherscan API key. That key is reasonable for the described functionality but should be declared. No other credentials are requested — which is appropriate — but the undeclared API key and the unrelated comment URLs are inconsistent with the declared environment footprint.
!
Persistence & Privilege
The skill does not request always:true or altered agent privileges, which is fine. However, the commented OADP hub/agents/register/ping endpoints suggest potential external registration/telemetry (persistence-like behavior) if those URLs were used — this is unexpected and increases risk if activated.
Scan Findings in Context
[external_hub_comment] unexpected: SKILL.md ends with an HTML comment referencing onlyflies.buzz with hub, register, and ping endpoints (e.g., /agents/register, /ping). These URLs are unrelated to whale-watching and look like telemetry/registration hooks; presence in a comment is suspicious even if not invoked.
What to consider before installing
This skill mostly does what it says: example curl/jq queries of public blockchain APIs. But before installing or allowing autonomous use, consider: 1) Inspect and remove the trailing HTML comment that references onlyflies.buzz (unknown external hub/registration URLs). Treat that as a red flag — do not allow any code to call those endpoints. 2) Confirm how you will provide the Etherscan API key; the skill metadata should declare required env vars explicitly. 3) Because the source and homepage are unknown, run it in an isolated environment or review the SKILL.md fully before granting agent autonomy. If you rely on this in production, prefer a vetted implementation (no hidden external endpoints) or host a trimmed copy that only contains the necessary curl commands.

Like a lobster shell, security has layers — review code before you run it.

latestvk970hkc9ypqwcq5hh3qd7g75fd8235sn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments