Skillv1.0.1

ClawScan security

Chainup Spot Trading · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 11, 2026, 2:56 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement ChainUp spot/margin trading correctly, but it quietly reads a host config file (/root/TOOLS.md) and references API secrets that are not declared in the skill metadata — an inconsistency that could accidentally expose unrelated credentials or surprise users.
Guidance: Before installing or enabling this skill: 1) Understand it expects ChainUp API credentials and a base URL even though the skill metadata does not declare those env vars. 2) The skill prefers to read /root/TOOLS.md and will use any usable credentials found there — review that file first (it may contain other secrets you don't want the skill to access). 3) Review the included scripts/chainup_api.py yourself (or run it in an isolated/sandboxed environment) to ensure there are no hidden endpoints or unexpected behavior. 4) If you want tighter control, provide credentials via environment variables or CLI arguments and remove/secure /root/TOOLS.md, and ask the publisher to update the skill metadata to declare required env vars and config paths. 5) Because the skill can place real trades, only use it with keys that have appropriate permissions (consider read-only keys for testing) and require two-step confirmations as described in SKILL.md before live operations.

Review Dimensions

Purpose & Capability: noteFunctionality (placing orders, signing with X-CH-APIKEY/X-CH-SIGN) matches the stated ChainUp trading purpose. However, the skill metadata declares no required env vars or config paths while the runtime instructions and script clearly expect credentials (CHAINUP_API_KEY / CHAINUP_SECRET_KEY / CHAINUP_BASE_URL) and prefer reading /root/TOOLS.md. That mismatch is unexpected and should be justified in metadata.
Instruction Scope: concernThe SKILL.md explicitly instructs the agent to prefer reading /root/TOOLS.md and to use any usable credentials found there without requiring the user to set environment variables. That grants the skill automated access to a host file that may contain unrelated secrets. The instructions also forbid fallback to manual HTTP signing and insist all requests go through the included script, which centralizes network activity (not inherently bad) but increases the impact if the script behaves badly.
Install Mechanism: okThere is no external install step or remote download; the skill is instruction-first and embeds a local Python script. No installer or third-party package fetch was specified, lowering install-time risk.
Credentials: concernThe skill uses and documents sensitive variables (API key and secret) and supports env vars and a CLI override, which is appropriate for a trading skill — but the skill metadata did not declare these required environment variables or config paths. The implicit preference to read /root/TOOLS.md (a host file) is disproportionate because it could give the skill access to other credentials stored there.
Persistence & Privilege: okThe skill does not set always:true and does not request special platform privileges. It does include an executable script that will run when invoked, but it does not modify other skills or global config per the provided files. Autonomous invocation is enabled by default (normal) but does not by itself raise this flag.