Fía Signals
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears benign: it is a simple, disclosed wrapper around Fía Signals crypto-market API calls, with minor notes about outbound queries and an undeclared curl dependency.
Before installing, be comfortable with crypto lookup requests going to api.fiasignals.com and review any x402 payment links or premium endpoint costs manually; do not provide private keys, seed phrases, or sensitive wallet credentials.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may fail if curl is unavailable, but the dependency is a normal fit for an API wrapper.
The script requires curl at runtime, while the registry metadata lists no required binaries. This is a minor dependency declaration gap rather than hidden installation behavior.
result=$(curl -s --max-time 20 -w "\n%{http_code}" "${API_BASE}${endpoint}" 2>/dev/null)Ensure curl is installed before using the skill; maintainers should declare it in the skill requirements.
Queries you ask the skill to analyze may be visible to the Fía Signals service.
User-requested crypto symbols, wallet addresses, or contract addresses can be sent to the disclosed Fía Signals API. This is expected for the market-intelligence purpose and no unrelated destination is shown.
API_BASE="https://api.fiasignals.com" ... fetch "/v1/wallet/profile/${ADDR}"Use it for public crypto data or addresses you are comfortable sending to the provider, and avoid including private keys, seed phrases, or unrelated sensitive information.