Back to skill
Skillv1.0.0
ClawScan security
Whale Radar — Orion · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 16, 2026, 12:31 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill claims to provide real-time whale detection on Base but is instruction-only with no data sources, APIs, or credentials declared — so outputs are likely hallucinated or merely a sales front for a paid ACP agent.
- Guidance
- This skill is essentially a marketing/template wrapper that advertises live whale alerts but contains no implementation to fetch on-chain data. Do not rely on it for trading signals unless you confirm how it obtains data. Before installing or using: (1) verify whether the platform has the ACP 'Orion' agent and what costs/permissions hiring it requires, (2) ask for the data sources/endpoints or proof of historical accuracy, (3) test outputs against known events to detect hallucination, and (4) avoid giving payment or API credentials without explicit, documented need. If you need real-time on‑chain whale detection, prefer skills that declare their data sources (RPC providers, indexers, or APIs) or provide code/install steps showing how queries are made.
- Findings
[NO_CODE_OR_INSTALL] expected: The regex scanner found no code files or install spec — expected because this is an instruction-only skill. However, that amplifies the mismatch between claimed live data capability and the skill's lack of data-access mechanisms.
Review Dimensions
- Purpose & Capability
- concernThe skill promises live cbBTC whale detection on the Base chain (last 4 hours) but provides no code, no install, no API endpoints, and no required credentials that would allow on‑chain queries. That mismatch means the skill cannot legitimately generate real-time on‑chain signals by itself; at best it is a template that points users to a paid Orion ACP service.
- Instruction Scope
- concernSKILL.md contains only a high-level UX template and marketing for a paid upgrade. It does not instruct the agent how to fetch blockchain transactions, how to compute thresholds, or which endpoints to call. It does instruct the agent to 'Use the ACP skill to hire agent: Orion', which implicitly relies on another skill being present; otherwise the agent may fabricate alerts.
- Install Mechanism
- okNo install spec and no code files — minimal surface area. This is low-risk from an installation perspective because nothing is written to disk or automatically installed.
- Credentials
- noteThe skill requests no environment variables or credentials, which is internally consistent for an instruction-only template. However, because it claims to produce live on‑chain data yet requests no API keys or node access, this absence is a red flag: it cannot access real-time blockchain data without additional capabilities (e.g., ACP hire or another skill).
- Persistence & Privilege
- okDefault privileges (not always:true, user-invocable). The skill does not request persistent system presence or elevated privileges and does not modify other skills' configs.