Crypto Tools
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only crypto reference appears purpose-aligned and cautious about financial advice, but users should be careful with wallet, portfolio, transaction, and API-key information.
This skill looks safe to install as an instruction-only reference. Before using it, remember that crypto portfolio data, wallet addresses, transaction exports, and API keys can be sensitive. Verify URLs, never share seed phrases or private keys, and keep final control over any wallet connection, approval revocation, transfer, or tax filing decision.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Wallet addresses, holdings, transaction history, or portfolio details could be exposed to external services or included in generated files if the user provides them.
The skill is intended to use external crypto APIs and may process wallet, portfolio, and transaction-history information. This is purpose-aligned, but it is financially sensitive data.
**Price data** | CoinGecko, CoinMarketCap APIs ... **Portfolio tracking** | Aggregate across exchanges/wallets ... **Tax prep** | Export transaction history (CSV)
Share only the wallet addresses or transaction data needed for the task, avoid private keys or seed phrases, and review any exported CSV before storing or sending it.
Connecting to a fake site or approving the wrong wallet action could expose the wallet address, waste fees, disrupt app access, or create security risk.
The skill advises connecting a wallet to an external approval-management service and performing revocations. This is legitimate security hygiene, but it involves wallet identity and permission-changing actions.
1. Go to revoke.cash 2. Connect wallet 3. Review all approvals 4. Revoke anything you don't actively use
Verify the official URL manually, never enter a seed phrase, and confirm every wallet transaction or revocation yourself.
If the user supplies an API key, that credential could be used to make provider requests and may reveal usage patterns to the provider.
Some documented data providers may require API keys. This is expected for crypto data access, and the artifacts do not show hardcoded keys, logging, or unrelated credential use.
| **CoinGecko** | Price, market cap, 24h volume | 10-50 req/min (free) | Optional API key | | **CoinMarketCap** | Price, rankings, metadata | 333 req/day (free) | Required |
Use separate, least-privilege API keys where possible, monitor provider usage, and do not provide exchange trading keys, withdrawal keys, private keys, or seed phrases.