Back to skill
Skillv1.0.1
ClawScan security
Riskgate Market Signals · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 4:52 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper for a third‑party crypto signals API (api.riskgate.xyz); its requested actions, optional API key usage, and documentation are coherent with the stated purpose and there is no code, install step, or unrelated credential access.
- Guidance
- This skill is an instruction-only integration that calls api.riskgate.xyz and uses an optional RISKGATE_API_KEY (fallback demo key included). Before installing, confirm you trust RiskGate (api/riskgate.xyz) and are comfortable with an agent using those signals for trading decisions. If you plan to provide a paid API key or M2M credentials, treat them like any secret (only provide keys you control and revoke them if needed). Also be aware the demo key is rate-limited (10 calls/day) and the skill will tell the agent to halt or notify a human on critical anomalies — review the decision-logic.md to ensure its gating behavior matches your risk policy.
Review Dimensions
- Purpose & Capability
- okName and description match the runtime instructions and included docs: the files describe querying RiskGate endpoints for regime, anomaly, and sentiment signals. Nothing requested (no binaries, no required env vars) is unrelated to a market‑signals integration.
- Instruction Scope
- okSKILL.md and supporting docs instruct only to call the RiskGate API, check an optional RISKGATE_API_KEY env var, handle demo limits, and follow decision/monitoring rules. There are no instructions to read arbitrary host files, exfiltrate data, or contact unexpected endpoints.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill — so nothing is written to disk or installed. This is the lowest‑risk install profile.
- Credentials
- okThe skill optionally reads one service credential (RISKGATE_API_KEY) and otherwise uses a public demo key; no unrelated secrets or system config paths are requested. Requiring an API key for a third‑party API is proportionate to the purpose.
- Persistence & Privilege
- okSkill is not forced always-on (always:false) and does not request persistent system privileges or modification of other skills. Autonomous invocation (default) is allowed but not combined with concerning permissions.