Skillv0.6.0

ClawScan security

Coinversaa Pulse · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 3:35 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are internally consistent with a crypto analytics MCP integration, but it relies on running a third-party npm package via npx and directing the user to write config files — verify the upstream package and repo before trusting it with an API key or agentic trading.
Guidance: This skill is coherent for a Coinversa MCP integration, but it requires running a third-party npm package via `npx` and editing local client config files. Before installing or providing an API key: 1) review the npm package and the GitHub repository (https://github.com/coinversaa/mcp-server) to ensure the code matches expectations; 2) if you plan to enable agentic trading, understand that orders would rely on Coinversa's backend signer — only do this if you trust the service and its approval process; 3) prefer creating a scoped/limited API key if available and avoid reusing high-privilege credentials; 4) consider running the package in a sandbox or isolated environment first. If you want higher assurance, ask the publisher for a signed release or a reproducible package snapshot to audit.

Review Dimensions

Purpose & Capability: okThe name/description promise crypto intelligence and MCP-accessible tools; the SKILL.md documents 43 tools and shows commands to run an MCP server package (@coinversaa/mcp-server). Required/optional environment variables in the doc (COINVERSAA_API_KEY, COINVERSAA_API_URL) match the stated purpose and are optional. No unrelated credentials or capabilities are requested.
Instruction Scope: noteInstructions focus on connecting an MCP-compatible client to the Coinversa mcp-server and using named tools (pulse_global_stats, list_markets, etc.). They also instruct editing local client config files (e.g., Claude and Cursor config paths) and exporting an API key. This is expected for integrating an external service, but it does give the skill guidance to modify user-level config files and to enable agentic trading via Coinversa's backend signer — which requires trust in the external service.
Install Mechanism: noteThere is no formal install spec in the registry, but SKILL.md instructs running `npx -y @coinversaa/mcp-server`. That will fetch and execute a package from the npm registry at runtime. Using an npm package is common and traceable (repository URL is provided), but it is a moderate-risk action because remote code will be executed on the host when npx runs. Users should review the package/repo before running.
Credentials: okThe only environment variables documented are COINVERSAA_API_KEY (optional) and COINVERSAA_API_URL (optional). No unrelated secrets or system credentials are requested. The optional API key is proportional to the paid-tier functionality described.
Persistence & Privilege: okThe skill is not always-enabled and is user-invocable (defaults). Instructions suggest adding mcpServers entries and environment variables to client config files, which is normal for an MCP integration. There is no request to modify other skills or system-wide privileged settings.