Back to skill
Skillv1.0.1
ClawScan security
Trends · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 11:07 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only helper for the trends-skill-tool CLI and its declared requirements, instructions, and scope are internally consistent with that purpose.
- Guidance
- This skill appears coherent and focused on helping with the trends-skill-tool CLI. Before installing or using the CLI and following its instructions: 1) verify the npm package @trends-fun/trends-skill-tool on npm (author, versions, and source repo) before running npm install -g; 2) never paste or allow the assistant to read private keys, seed phrases, or secretKey arrays — the docs correctly forbid this; 3) be careful with 'direct write' or any explicit bypass of confirmation (these will cause real blockchain transactions); 4) confirm RPC/API endpoints (https://api.mainnet-beta.solana.com and https://api.trends.fun/v1) are what you expect; and 5) if you need stronger isolation, run the CLI in a sandbox or review its source code locally before global installation.
Review Dimensions
- Purpose & Capability
- okName/description match the content: the SKILL.md and reference docs are focused on installing, configuring, using, and troubleshooting the @trends-fun/trends-skill-tool CLI. There are no unrelated environment variables, binaries, or installs requested that would be disproportionate to a CLI helper.
- Instruction Scope
- okThe runtime instructions stay within the CLI support scope: they provide concrete commands, parameter-completion rules, preflight checks, and an explicit prohibition on reading or printing private keys/secret material. They do not instruct the agent to read arbitrary files or exfiltrate data beyond interacting with the documented CLI and its API endpoints.
- Install Mechanism
- noteNo install spec is embedded in the skill (instruction-only). The docs direct users to install the CLI globally via npm (npm install -g @trends-fun/trends-skill-tool). This is reasonable for a CLI helper, but because the skill assumes an external npm package, users should verify the package source and author before running global installs.
- Credentials
- okThe skill declares no required env vars or credentials. The docs mention optional environment variables (TRENDS_RPC_URL, TRENDS_API_BASE_URL, etc.) and default RPC/API endpoints for normal operation — these are proportional and expected for a wallet/trading CLI.
- Persistence & Privilege
- noteSkill is not always-enabled and is user-invocable. It permits write operations but defines a clear confirmation gate for create/buy/sell/reward-claim; it also documents an explicit user-initiated bypass (direct write). This is consistent with a CLI assistant, but users should be cautious when requesting 'direct write' to avoid accidental transactions.