Crypto Address Checker
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly fits its crypto-scam-checking purpose, but it can send checked addresses to Etherscan during normal checks despite repeatedly advertising local-only checks.
Review this skill before installing if you need local-only privacy. Be aware that unknown addresses may be sent to Etherscan during a check, use a limited Etherscan API key, inspect the Python dependencies before running install.sh, and only enable cron/systemd background sync if you want ongoing API activity.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user who thinks the check is local-only may have the queried address sent to Etherscan during the check.
The main check path can automatically perform a real-time sync for an unknown address instead of only querying the local database or waiting for explicit user approval.
if not address_data: ... # Sync it now! ... sync_result = await sync_address_realtime(address, db, blockchain_info)
Make external sync clearly opt-in or prompt before sending an address to Etherscan, and align the command behavior with the documentation.
Users may rely on a stronger privacy guarantee than the skill actually provides.
The documentation makes a strong local-only/no-external-API claim, while the provided checker code shows a path that fetches from Etherscan for unknown addresses.
Zero external API calls during user checks ... crypto_check_db │ ← Queries local database ONLY
Update the documentation and metadata to plainly state when addresses are sent to Etherscan and when the Etherscan API key is used.
The skill can use the user's Etherscan API key for provider requests and may consume API quota.
The skill uses a stored or environment-provided Etherscan API key for syncing, which is expected for the integration but not declared in the registry credential metadata.
api_key = get_api_key() ... 'API key not configured. Please run: ./setup.sh'
Use a limited-purpose Etherscan API key, review how it is stored, and treat the key as a credential even if the registry metadata marks credentials as none.
If enabled, the worker will continue making API-backed updates on a schedule until the user removes the cron job or service.
The documentation recommends a recurring background sync job; this is disclosed and user-directed, but it is persistent behavior.
*/5 * * * * cd ~/.openclaw/workspace/skills/crypto-scam-detector && source venv/bin/activate && ETHERSCAN_API_KEY="key" python3 sync_worker.py --max-jobs 20
Only enable background sync if needed, monitor its API usage, and document how to disable any cron or systemd service.
Checked addresses and fetched transaction analysis remain on disk and can influence future results.
The skill persists checked addresses, transactions, scam indicators, and sync queue data in a local database for reuse across checks.
config_dir = Path.home() / ".config" / "crypto-scam-detector" ... db_path = config_dir / "crypto_data.db"
Review or delete the local database if privacy or stale data matters, and consider adding clear retention and cleanup instructions.
Users may not see exactly which dependency installation steps run unless they inspect the script and requirements file first.
The installer suppresses most output while installing Python dependencies into a virtual environment. This is a normal setup pattern, but the registry lists no install spec.
exec 1>/dev/null 2>&1 ... python3 -m venv "$SKILL_DIR/venv" ... pip install -r "$SKILL_DIR/requirements.txt"
Review requirements.txt and install.sh before running the installer, and prefer visible install logs for security-sensitive environments.