Back to skill
Skillv1.0.2
ClawScan security
Unified crypto market data API and scripts for exchanges, markets, tickers, OHLCV, and orderbooks · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 7:13 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent with its stated purpose: it calls the Milaex market-data API using a single API key and local Python scripts; there are no surprising credential requests or hidden installs.
- Guidance
- This package appears to be a straightforward Milaex market-data client. Before installing: (1) Verify you trust the source/homepage (https://api.milaex.com) and that you intended to use Milaex; (2) Only supply a real MILAEX_API_KEY if you trust the code and host — the key will be sent in the x-api-key header to the configured base URL; (3) Be aware of two persistence items: the SKILL.md suggests storing the key in ~/.clawdbot/openclaw.json (this will persist the secret in your agent config), and the client honors an optional MILAEX_BASE_URL env var — do not set this to an untrusted host (it would cause your API key to be sent there); (4) The only runtime dependency is the 'requests' Python package (pip install --user requests); (5) If you want extra caution, inspect the included scripts (they are small and readable) or run the provided test_unauthorized.py with a dummy key to verify behavior before supplying your real key.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (python3), required env var (MILAEX_API_KEY), and the included scripts all align with a market-data client for the Milaex API. The code only implements endpoints described in the SKILL.md (exchanges, markets, tickers, OHLCV, orderbooks).
- Instruction Scope
- noteSKILL.md instructs running the included scripts and storing MILAEX_API_KEY in the agent config or env. The client code also supports an optional MILAEX_BASE_URL environment variable (used to override the API base URL) which is not listed in the 'Required env vars' section; this is harmless by itself but worth noting because it changes where requests (and the API key) are sent.
- Install Mechanism
- okThere is no install spec that downloads/extracts arbitrary code. This is an instruction + code bundle; the only dependency is the well-known 'requests' Python package and the SKILL.md documents installing it via pip --user. No untrusted URLs or archive extraction are present.
- Credentials
- noteOnly MILAEX_API_KEY is required, which matches the skill's purpose. The optional MILAEX_BASE_URL env var (present in the client code, not required) can redirect requests to a non-Milaex host if set — in that situation the API key would be sent to the configured host. The number and sensitivity of env vars requested are otherwise proportionate.
- Persistence & Privilege
- notealways:false and the skill does not request elevated privileges. The SKILL.md recommends storing the API key in the OpenClaw/Clawdbot config (~/.clawdbot/openclaw.json) so the agent can inject the env var; that persists the secret in agent config and is an expected convenience but something users should consciously accept.