ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Birdeye MCP Skill

v1.0.0

Use Birdeye MCP through UXC for token market data, trending and discovery workflows, price monitoring, and DEX-related reads with help-first live tool discov...

0· 112·1 current·1 all-time
by@jolestar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Birdeye MCP for token market/discovery reads) aligns with the instructions to call https://mcp.birdeye.so/mcp via the uxc tool and to prefer read-only queries. Requiring 'uxc' and an API key is reasonable for this integration. No unrelated services or capabilities are requested.
Instruction Scope
SKILL.md gives explicit, bounded runtime instructions (probe host with help-first, configure uxc credential/binding, use birdeye-mcp-cli, prefer narrow reads). These instructions stick to the stated purpose. They do instruct the agent to configure credentials and to interact with a secret-op path and an environment variable (BIRDEYE_API_KEY) — see environment_proportionality for the metadata mismatch.
Install Mechanism
No install spec is present (instruction-only skill), which minimizes installation risk. The only code file is a local validation script; there is no automated download or archive extraction.
!
Credentials
SKILL.md expects an API key (examples reference BIRDEYE_API_KEY and op://Engineering/birdeye/api-key) and shows how to bind an X-API-KEY header. However, the skill metadata declares no required environment variables or primary credential. This metadata omission is an incoherence: the skill will require secrets at runtime even though none are declared. The reference to an op://Engineering secret path may point to an internal secret manager and should be validated before use.
Persistence & Privilege
The instructions direct use of 'uxc auth credential set' and 'uxc auth binding add', which will persist credentials/bindings into the uxc configuration. This is expected for a credentialed client integration and not unusual, but users should understand it modifies local/uxc state (not the skill system). 'always' is false and the skill does not request elevated platform privileges.
What to consider before installing
This skill appears to do exactly what it says — read-only access to Birdeye MCP — but the SKILL.md requires an API key (BIRDEYE_API_KEY or a secret-op path) while the registry metadata lists no required env vars. Before installing, confirm: (1) you or your org will supply a Birdeye API key (and whether it should be provided via BIRDEYE_API_KEY or your secret manager), (2) you trust the endpoint mcp.birdeye.so and the 'uxc' tool used to persist credentials, and (3) you are comfortable that running the suggested 'uxc auth credential set' will store the API key in your local/uxc config or your secret manager binding. If any of those are unclear, request the skill publisher to update the registry metadata to declare the required env var(s) and to explain the op:// secret usage. Test with narrow, read-only queries first and avoid providing unrelated credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9749sv6v3avcxjv4pwt771p8h833hby

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments