Back to skill
Skillv1.0.0
ClawScan security
Crypto Macro Regime Classifier · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 21, 2026, 2:47 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (classifying crypto macro regime from public market and sentiment signals) matches the minimal runtime requirements and instructions; nothing requested or installed is disproportionate or unexplained.
- Guidance
- This skill looks coherent and low-risk: it only describes how to gather public market and sentiment signals and makes no unusual requests. Before installing, consider: (1) The SKILL.md is vague about how it fetches data — at runtime the agent may perform web requests or scraping (expect network access). (2) If you want more reliable data, you may need to supply API keys (Reddit, CoinGecko, or news APIs); avoid providing unrelated secrets. (3) Treat its output as informational, not financial advice — validate signals and test with paper trading. (4) If you need to constrain behavior, require explicit credentials or specify approved data endpoints so the agent doesn't fetch arbitrary sites.
Review Dimensions
- Purpose & Capability
- okName, description, and declared data sources (Fear & Greed, Reddit, CoinDesk, BTC metrics) align with a macro-regime classifier. No unrelated credentials, binaries, or config paths are required.
- Instruction Scope
- noteSKILL.md is high-level and instructs the agent to use the listed public data sources but does not provide exact endpoints or methods. That vagueness grants the agent discretion to fetch/scrape web content or call public APIs; this is expected for an instruction-only skill but worth noting because it could cause broad network access at runtime.
- Install Mechanism
- okNo install spec or code files — instruction-only skill. This is the lowest-risk model and nothing will be written to disk by an installer.
- Credentials
- okThe skill requests no environment variables or credentials. Some referenced data sources (e.g., Reddit API) can require API credentials for robust access, but the absence of requested credentials is coherent if the agent will rely on public endpoints or scraping.
- Persistence & Privilege
- okalways is false and model invocation is allowed (default). The skill does not request persistent or elevated privileges or modify other skills' config.