Skillv1.0.0

ClawScan security

Portal Token Discovery · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 16, 2026, 11:24 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, requirements, and behavior are internally consistent with its stated purpose of providing PORTAL token info and live CoinGecko market data; it requests no credentials or installs and only directs the agent to fetch public API data and list reference links.
Guidance: This skill appears coherent and low-risk: it only fetches public token info and CoinGecko market data and requires no credentials or installs. Two practical cautions: (1) verify the listed contract addresses and official links yourself (check explorers like Etherscan/BaseScan and official project channels) before acting on them, because incorrect addresses can be harmful; (2) the skill explicitly says it won’t perform trades, so if you ask the agent to trade, it should prompt for confirmation and explicit execution details — do not provide private keys or credentials. If provenance matters, note the registry owner and lack of a homepage; consider installing only if you trust the publisher or after manually validating a few responses.

Purpose & Capability: okName/description (token info, market links) match the skill's actions: providing contract addresses, trusted links, DEX pair info, and instructions to fetch CoinGecko market data. Nothing requested (no env vars, no binaries) is out of scope for this purpose.
Instruction Scope: okSKILL.md confines runtime actions to: returning canonical info and trusted links, and issuing a GET to CoinGecko's public API to extract specific market fields. It does not instruct reading unrelated files, accessing secrets, or exfiltrating data to unexpected endpoints.
Install Mechanism: okNo install specification and no code files — instruction-only skill. This minimizes disk/write risk and is proportionate for a read-only information skill.
Credentials: okNo environment variables, credentials, or config paths are required. The only external access is to public URLs (CoinGecko, CoinMarketCap, BaseScan, official site, X), which aligns with the stated goal.
Persistence & Privilege: okalways is false and the skill does not request system-wide persistence or modification of other skills. Autonomous invocation is allowed by default but this is not combined with any elevated privileges or credential access.