Back to skill
Skillv1.0.7
ClawScan security
valuescan-skill-beta · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 24, 2026, 11:18 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are consistent with a ValueScan API client: it requires an API key/secret, signs requests locally, and only talks to the documented API endpoint; nothing in the package suggests unrelated or hidden behaviors.
- Guidance
- This skill behaves like a normal API client for ValueScan. If you install it: 1) You will need to provide a ValueScan API Key and Secret; the SDK expects them in ~/.openclaw/credentials/valuescan.json. 2) Those credentials will be sent (in headers) to https://api-beta.valuescan.io when the skill calls the API; ensure you trust beta.valuescan.io and create/limit the key's scope where possible. 3) Storing secrets on disk is convenient but risky if others have access to your account or machine—protect or rotate keys when no longer needed. 4) There are no other hidden network endpoints or unrelated credential requests in the package.
Review Dimensions
- Purpose & Capability
- okThe skill advertises a ValueScan cryptocurrency analysis API and includes an HMAC-SHA256 signing SDK that reads a valuescan API key/secret and sends signed POST requests to api-beta.valuescan.io. Requiring an API Key and Secret is appropriate and expected for this purpose.
- Instruction Scope
- noteSKILL.md and the SDK instruct storing credentials at ~/.openclaw/credentials/valuescan.json and reading them for signing; the instructions and included code reference only the ValueScan API endpoints and local credential file. Note: storing secrets on disk is functional but has the usual local-security considerations (anyone with filesystem access to that path can use the keys).
- Install Mechanism
- okNo install/download mechanism is included (instruction-only with a small SDK file). There are no external installers or downloads, and the code is not obfuscated.
- Credentials
- okThe skill requests only the ValueScan API credentials (api_key and secret_key) for signing requests. It does not request unrelated environment variables or other service credentials. Credentials are handled via a local JSON file rather than env vars; this is reasonable but should be understood by the user.
- Persistence & Privilege
- okThe skill is not force-enabled (always: false) and uses normal autonomous invocation defaults. It stores/reads credentials in its own config path (~/.openclaw/credentials/valuescan.json) but does not modify other skills or system settings.