Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
DSCVR Intelligence Skill
v1.0.0Query DSCVR crypto intelligence APIs for market news, event tracking, smart money analysis, prediction market data, AI-powered event discovery, market orderb...
⭐ 0· 41·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill description, SKILL.md, and scripts all implement a DSCVR API client that signs requests with HMAC-SHA256 and requires DSCVR_API_KEY and DSCVR_SECRET_KEY. However, the provided registry metadata lists no required env vars or primary credential — that mismatch is coherent with the stated purpose (the keys are needed) but the metadata omission is unexpected and increases risk because an automated installer or reviewer would not know to prompt for secrets.
Instruction Scope
The runtime instructions and scripts limit actions to constructing HMAC headers and making HTTP requests to the DSCVR API endpoints (default base URL https://api.dscvr.one). The scripts only read DSCVR_API_KEY, DSCVR_SECRET_KEY, and optional DSCVR_API_BASE_URL; they do not attempt to read arbitrary system files or unrelated environment variables. One minor oddity: the auth CLI's curl example references http://localhost:8888 which appears to be a local proxy example — not an exfiltration endpoint, but worth double-checking your base_url before use.
Install Mechanism
This is instruction-plus-scripts (no explicit install spec). Dependencies are declared inline (PEP 723) and resolved by 'uv run' (httpx). There are no downloads from unknown URLs or archive extraction in the package. Installing will pull standard Python packages (httpx) via the Python packaging ecosystem — expected for a CLI client.
Credentials
The two requested secrets (DSCVR_API_KEY and DSCVR_SECRET_KEY) are proportionate and necessary for authenticated API access. The problem is the package metadata does not declare these required environment variables or a primary credential — that omission is inconsistent and could lead to accidental key exposure or user confusion. Confirming the exact credential names and scopes before supplying secrets is recommended.
Persistence & Privilege
The skill does not request persistent platform privileges (always: false) and does not modify other skills or system-wide settings. It runs on-demand via CLI and uses environment variables for credentials. Note: the skill is model-invocable by default (normal for skills); this alone is not a red flag here.
What to consider before installing
This package appears to be a straightforward client for the DSCVR intelligence API and legitimately needs two credentials (DSCVR_API_KEY and DSCVR_SECRET_KEY). However, the registry metadata incorrectly lists no required environment variables — treat that as a red flag. Before installing or giving the skill secrets: 1) verify the publisher (dscvr.one) and the subscription page referenced; 2) confirm the exact environment variable names and ensure you only provide keys with the minimum necessary scope; 3) review the scripts yourself (they are included) or run them in an isolated environment; 4) check DSCVR_API_BASE_URL if you use a proxy (the auth example prints a localhost URL — ensure you don’t accidentally send keys to a local/unexpected proxy); and 5) prefer creating a dedicated API key that can be revoked if anything unexpected happens. The inconsistency between package metadata and the code is the main reason this is classified as suspicious rather than benign.Like a lobster shell, security has layers — review code before you run it.
latestvk972kyy6y3vbj476a0jry1z90583qszy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.