ClawHub
Back to skill
v1.0.0

Immortal

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:49 AM.

Analysis

This skill is a straightforward crypto-risk reporting tool that makes disclosed HTTP calls to a Majestify API and does not show credential use, persistence, destructive behavior, or hidden local data access.

GuidanceThis looks safe to install for its stated purpose if you are comfortable with it contacting the Majestify crypto-health API. Review the endpoint you use, remember that results come from an external service, and do not let the classifications automatically drive real financial actions without human judgment.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
Python 3.10+ ... httpx (optional) ... Internet access to the Majestify API

The skill discloses runtime expectations in the README even though the registry requirements list no required binaries, packages, or environment variables. This is an under-declared metadata issue rather than hidden behavior.

User impactInstallation metadata may not fully signal that running the skill requires Python and internet access.
RecommendationConfirm Python is available and that outbound network access to the Majestify API is acceptable before using the skill.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/assess_vitality.py
DEFAULT_API_BASE = "https://crypto-health-hub.onrender.com" ... url = f"{api_base}/api/metrics/{coin}?days={days}"

The script sends the selected asset IDs and time window to an external API. This is disclosed and purpose-aligned, but users should be aware that requests and results depend on an outside service.

User impactThe external API can see which assets are being assessed and its responses influence the reported risk classification.
RecommendationUse the default or custom API endpoint only if you trust that provider, and avoid treating the output as the sole basis for financial decisions.