ClawHub

Unified crypto market data API and scripts for exchanges, markets, tickers, OHLCV, and orderbooks

PassAudited by ClawScan on May 1, 2026.

Overview

The skill is a read-only Milaex market-data client; the main precautions are protecting the API key, trusting the configured API host, and installing its Python dependency from a trusted source.

This appears safe to install if you trust Milaex and need read-only crypto market data. Before installing, use a limited/revocable API key if possible, store it securely, do not paste it into prompts or logs, keep `MILAEX_BASE_URL` unset unless you trust the endpoint, and install the `requests` dependency from a trusted environment.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI03: Identity and Privilege Abuse
What this means

The agent can use the key to query Milaex and consume account rate limits or plan quota; if the base URL override is untrusted, the key could be sent to the wrong endpoint.

Why it was flagged

The client sends the configured Milaex API key as an HTTP header, and the destination defaults to Milaex but can be changed with `MILAEX_BASE_URL`.

Skill content
base_url = os.getenv("MILAEX_BASE_URL", "https://api.milaex.com").rstrip("/") ... headers = {"x-api-key": cfg.api_key, "accept": "application/json"}
Recommendation

Use a revocable market-data-only key if available, store it securely, and leave `MILAEX_BASE_URL` unset unless intentionally pointing to a trusted Milaex-compatible endpoint.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing an unpinned dependency relies on the current package source and resolver, which can affect reproducibility or security if the environment is not trusted.

Why it was flagged

The skill relies on an external Python package installed manually without a pinned version; this is expected for a small API client but is still a supply-chain consideration.

Skill content
Scripts require Python 3 and `requests`.

Install dependency if needed:
```bash
python3 -m pip install --user requests
```
Recommendation

Install dependencies from a trusted Python environment, consider pinning `requests` in your own environment, and avoid running the skill in environments with untrusted packages.