ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Meme Signal Evaluator

v0.1.0

6-dimensional scoring engine for meme tokens with automated paper trading simulation. Use this skill when users ask to evaluate/score meme tokens, set up buy...

0· 100·0 current·0 all-time
byxueqiu@ls569333469
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a coherent 6-dimension scoring engine and paper-trading simulation that aligns with the name/description. However, it repeatedly references external services (Token Dynamic API fields, Smart Money signals, Social Hype Leaderboard, Topic Rush, Meme Exclusive ranking, etc.) that are necessary for the stated functionality but the skill declares no required environment variables, endpoints, or credentials. That omission is unexpected and reduces clarity about how the skill would actually obtain needed data.
Instruction Scope
The runtime instructions stay within the stated domain: scoring tokens, strategy matching, and paper trading. They do not instruct the agent to read arbitrary local files, system configs, or other unrelated secrets. The SKILL.md is algorithmic and high-level rather than giving concrete commands; the main problem is vagueness about how external data is fetched and where results are transmitted.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which is the lowest-risk install model. Nothing is written to disk by an installer.
!
Credentials
The skill implies heavy use of multiple third-party data providers/APIs, which in practice typically require API keys or paid access. Yet requires.env and primary credential are empty. That mismatch could mean the skill expects the platform to supply those feeds (not documented), or it will prompt for credentials at runtime — both are important to clarify. The absence of declared credentials is disproportionate to the number of external services referenced.
Persistence & Privilege
The skill does not request always:true, does not declare any install-time persistence, and does not instruct modification of other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other red flags.
What to consider before installing
This skill appears to be a high-level scoring and paper-trading design rather than a ready-to-run integration. Before installing or using it: 1) Ask the author (or vendor) for the concrete data sources/endpoints and whether you need API keys or paid subscriptions for Token Dynamic, Smart Money feeds, Topic Rush, Social Hype, etc. 2) Do not paste API keys or secrets into the skill without knowing exactly where they will be stored/used — the SKILL.md does not declare required env vars or where credentials would live. 3) If you plan to let the agent execute trades (even paper trades), confirm network access, logging, and how trade records are stored; run initial tests in a sandboxed environment. 4) Prefer skills with a clear source repo, documentation, and explicit list of required credentials; absence of provenance increases risk. Providing that additional information (source code or explicit integration instructions and required env vars) would raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk975awnwfdsp5mxwbpvpbyd27s8347hk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments