ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bytesagain Crypto Tracker Cn

v1.0.0

Track cryptocurrency markets in real-time. 加密货币行情追踪、比特币价格、以太坊ETH、市值排行、DeFi数据、恐惧贪婪指数、趋势币种、空投信息、RSI技术分析、均线分析、金叉死叉、DeFi收益率对比、Gas费查询。Use when checking crypto pri.

0· 53·0 current·0 all-time
by@loutai0307-prog
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts call public crypto APIs (CoinGecko, DefiLlama, Alternative.me) which aligns with the stated purpose. However the package metadata declares no required binaries while the included scripts clearly invoke curl and python3 (and use bash). The skill should have declared these runtime requirements.
Instruction Scope
SKILL.md tells the agent to run the CLI (crypto-tracker-cn) and use the provided commands—this matches the shipped scripts. The instructions do not instruct the agent to read unrelated files or exfiltrate data. They also omit explicit warnings that portfolio/alerts/history are stored locally (in plaintext JSON/log files).
Install Mechanism
No install spec or external downloads are used; the skill is instruction-only with included scripts. There is no remote code fetch from untrusted URLs in the provided files.
!
Credentials
The skill declares no required environment variables but the scripts honor an optional CRYPTO_TRACKER_CN_DIR and write into user home directories (~/.crypto-tracker and ~/.local/share/crypto-tracker-cn). The skill will create and store portfolio.json, alerts.json and logs in plaintext; this is reasonable for a local CLI but may expose sensitive portfolio data if you expect secrecy or if multiple users share the machine. Also the metadata omission of required binaries is a mismatch.
Persistence & Privilege
always is false and the skill does not request elevated privileges. It does create files under user-owned data directories only (no system-wide changes). Autonomous invocation is allowed (platform default) but that is not a unique risk here.
What to consider before installing
This skill appears to do what it says (fetch data from CoinGecko/DefiLlama/Alternative.me) but review these points before installing: 1) Ensure your environment has curl, python3, and bash available — the metadata doesn't declare them. 2) The scripts create plaintext files (portfolio.json, alerts.json, history.log) under your home directory (~/.crypto-tracker and ~/.local/share/crypto-tracker-cn). If you will store sensitive holdings or prices, consider storing these files encrypted or running the tool in a sandbox. 3) The skill uses two different data directories (inconsistent naming); confirm where your data will be written so you don't leak or lose it. 4) Inspect the full scripts (especially the alert handler shown truncated in the manifest) for bugs and confirm desired behavior. 5) If you plan to let the agent invoke this autonomously, be aware it can create and modify those local files — limit autonomous use or run in an isolated account/container if you want stronger protections.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cj67y9a2fvqrztqd9nswk3d8460ds

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments