Back to skill
Skillv0.3.0
ClawScan security
Fomo Research · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 21, 2026, 8:43 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions match its stated purpose (calling cope.capital APIs to track traders); nothing requested is disproportionate or unexpected.
- Guidance
- This skill appears coherent and only needs an API key for api.cope.capital. Before installing: (1) only provide the COPE_API_KEY if you trust cope.capital; treat it like a password and store/revoke it if needed; (2) never share private keys — only supply public wallet addresses if you accept that on-chain activity and holdings will be visible to the service; (3) be aware that the agent may call the API autonomously (default behavior) using the provided key — limit the skill or revoke the key if you see unexpected activity; (4) review cope.capital's privacy and billing policies (x402 paid tier) before enabling paid features.
Review Dimensions
- Purpose & Capability
- okName/description (Fomo Research) align with the declared API usage. The only required credential is COPE_API_KEY, which is appropriate for calling api.cope.capital. No unrelated binaries, hosts, or credentials are requested.
- Instruction Scope
- noteSKILL.md instructs the agent to help the human register for an API key, optionally sync a Fomo profile, add wallet addresses (read-only) and create watchlists — all consistent with a monitoring/tracking skill. Note: the skill asks the user to connect wallet addresses (on-chain addresses) for expanded features; this is expected but reveals wallet addresses and on-chain activity (privacy consideration). The documentation explicitly says not to request private keys.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk or downloaded during install. Lowest-risk install posture.
- Credentials
- okOnly COPE_API_KEY is required and is justified by the API usage. No other tokens, secrets, or system config paths are requested. The SKILL.md uses that env var as expected.
- Persistence & Privilege
- okalways is false and the skill does not request elevated system presence or modify other skills. The skill can be invoked autonomously (platform default) which is expected for an agent-integrated data-fetching skill.