Skillv1.0.0

ClawScan security

CoinGecko · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 13, 2026, 11:52 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is a small, self-contained CoinGecko client: its scripts only call CoinGecko's public API and match the SKILL.md instructions, and it does not request credentials, unusual binaries, or persistent privileges.
Guidance: This skill is coherent and implements a straightforward CoinGecko client. Before installing, note that it will make outbound HTTPS requests to api.coingecko.com (CoinGecko's free API) and is subject to their rate limits (~30 req/min). The source is 'unknown'—if you require a vetted origin, verify the publisher or inspect/track future updates; otherwise the code shown appears benign and limited in scope.

Purpose & Capability: okName/description claim realtime crypto data from CoinGecko and the included Python scripts implement exactly that (price, search, token-by-contract, trending). No unrelated env vars, binaries, or APIs are required.
Instruction Scope: okSKILL.md instructs running the provided scripts. The scripts only perform HTTPS requests to api.coingecko.com, parse responses, and print JSON. They do not read local files, access environment variables, or transmit data to other endpoints.
Install Mechanism: okNo install spec (instruction-only skill with code files). There is no downloading of external archives or package installation; the scripts run with the system Python and make outbound HTTPS requests.
Credentials: okThe skill declares no required credentials or config paths and the code does not attempt to read environment variables or other secret-bearing locations. Network access to CoinGecko is the only runtime requirement.
Persistence & Privilege: okalways:false and no attempt to modify other skills or system configs. Agent autonomous invocation is allowed (platform default) but the skill does not request elevated or persistent privileges.