valuescan-skill-beta
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent ValueScan API integration for crypto market analysis, with expected API-key use and no artifact-backed malicious behavior.
Before installing, confirm you are comfortable storing a ValueScan API key and secret at the documented OpenClaw credential path and having the skill send your market-analysis queries to ValueScan. Use only the documented endpoints and do not treat the generated crypto signals as guaranteed financial advice.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the SDK means ValueScan API requests can be made with your API key and secret.
The skill requires ValueScan API credentials stored locally and uses them for request signing; this is expected for the stated provider integration but gives the skill access to the user’s ValueScan account/API credits.
存储路径:`~/.openclaw/credentials/valuescan.json` ... 数据用途:仅用于访问 ValueScan API,不会外传
Use a dedicated ValueScan API key if possible, keep the credential file private, monitor API-credit usage, and rotate the key if you no longer trust the installation.
Normal use is to call documented ValueScan endpoints, but misuse of the helper could send signed requests outside the intended API surface.
The helper constructs a POST URL from a caller-supplied path and attaches signed credential headers. The documentation intends relative ValueScan paths, but the code does not itself enforce an allowed endpoint prefix.
async function vsPost(path, data, timeout = 10000) { ... const fullUrl = new URL(path, BASE_URL).href; ... headers: headers, body: rawBodyOnly use documented ValueScan endpoint paths and consider adding validation that rejects absolute URLs or paths outside `/api/open/v1/`.