Skillv1.0.0

ClawScan security

Messari · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:11 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a legitimate Messari API integration, but registry metadata and the runtime instructions disagree about required credentials and provenance is unknown — verify the API-key handling and source before installing.
Guidance: Before installing: - Confirm provenance: the skill's source/homepage is missing; prefer skills published by a known owner or linked to an official Messari listing. - Verify how your Messari API key will be supplied and stored by the platform (the SKILL.md requires MESSARI_API_KEY, but the registry metadata doesn't list it). Ensure the platform injects the key only into requests to api.messari.io and does not expose it elsewhere. - Understand cost: Messari AI completions require paid AI credits — confirm who bears the cost when the skill uses AI endpoints. - If you proceed, provide only the Messari API key (no other unrelated secrets), monitor the skill's network usage, and revoke the key if you see unexpected behavior. If you need higher assurance, request the publisher to correct the registry metadata to explicitly list MESSARI_API_KEY (and any other required vars) and provide an official homepage or owner verification.

Review Dimensions

Purpose & Capability: concernThe SKILL.md clearly documents a Messari integration and requires a Messari API key (MESSARI_API_KEY) and Messari AI credits, which match the described purpose. However, the registry metadata at the top of the provided package lists no required environment variables or primary credential — that is inconsistent. Requiring an API key is reasonable for this purpose, but the mismatch between the declared registry requirements and the SKILL.md is a red flag for sloppy packaging or incomplete metadata.
Instruction Scope: noteThe runtime instructions are focused on interacting with Messari's REST API (https://api.messari.io) and provide curl examples that include an API key header. They do not instruct reading local files, other environment variables, or sending data to third-party endpoints outside Messari. Minor note: SKILL.md mentions 'Messari AI credits' as required but does not define how those credits are provided; this is a usage/cost requirement rather than a secret the skill pulls from the environment.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing will be downloaded or written to disk by an installer. That minimizes install-time risk.
Credentials: concernThe skill legitimately needs a Messari API key to call the API, and SKILL.md declares MESSARI_API_KEY as required. But the package registry metadata (the top-level 'Requirements' block) claims no required env vars and lists no primary credential — an inconsistency that makes it unclear how the platform will prompt for or store the API key. No other unrelated credentials are requested, which is appropriate, but the mismatch should be resolved before trusting the skill with your API key.
Persistence & Privilege: okThe skill does not request 'always' presence and does not declare actions that modify system or other-skill settings. It appears to operate only when invoked and to make outbound calls to Messari, which is appropriate for its purpose.