Kelly Formula Crypto

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a coherent Kelly-position calculator, with disclosed external API/x402 payment behavior that users should notice before invoking it.

Before installing or invoking, be aware that the hosted skill may contact an external API and may request a 0.01 USDC x402 payment. Verify any wallet prompt and inspect the GitHub source if you choose to install from the README instructions.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Info

What this means

Your calculator inputs may be sent to the hosted service when the skill is invoked.

Why it was flagged

The skill declares an external calculation API. This is consistent with a paid hosted calculator, but users should understand that invocations may contact an external service rather than run only locally.

Skill content

endpoint: "https://kelly-formula-crypto.vercel.app/api/calculate"
capabilities:
  - api_call

Recommendation

Use the skill only when you are comfortable sending the entered trading assumptions to the disclosed endpoint.

#ASI03: Identity and Privilege Abuse

Low

What this means

Calling the skill may cost 0.01 USDC per paid invocation.

Why it was flagged

The skill discloses x402 payment details, amount, currency, destination wallet, and says a payment request is initiated on invocation. This is purpose-aligned for a paid skill but involves user funds.

Skill content

auth_type: "x402"
price: "0.01"
currency: "USDC"
wallet: "0x24b288c98421d7b447c2d6a6442538d01c5fce22"
...
调用时自动发起0.01 USDC支付请求。

Recommendation

Confirm any wallet or payment prompt before allowing the call, and avoid enabling repeated autonomous invocations unless you intend to pay each time.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

Installing from the linked repository could expose you to code changes outside the reviewed package.

Why it was flagged

The README provides an optional external GitHub install path. The included requirements file is empty, but users who follow the clone command should ensure the repository matches the reviewed artifact.

Skill content

git clone https://github.com/jinboh68-prog/kelly-formula-crypto.git
cd kelly-formula-crypto
pip install -r requirements.txt

Recommendation

Prefer the reviewed artifact or inspect the GitHub repository before running code from it.