Crypto Genie
ReviewAudited by ClawScan on May 10, 2026.
Overview
Crypto Genie mostly matches its crypto-safety purpose, but it claims checks are local while its checker can fetch unknown addresses from Etherscan during a normal check using an API key.
Review before installing. Use this skill only if you are comfortable with Python dependency installation, local storage under ~/.config/crypto-genie, and Etherscan API calls for unknown addresses. Do not enable the cron/background worker unless you intentionally want ongoing sync activity, and use a dedicated Etherscan API key.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crypto address the user checks may be sent to Etherscan during the check, contrary to the strongest local-only wording in the documentation.
This shows the checker can make an Etherscan-backed network sync during a normal check for an unknown address, while SKILL.md prominently says there are 'No external API calls during user checks.'
print(f"⏳ Address not in database. Fetching from {blockchain_info['explorer']}...") ... syncer = EtherscanSyncer(api_key, db) ... success = await syncer.sync_address(address)Require clear user approval before real-time sync, update SKILL.md/metadata to describe when external calls happen, and offer a truly offline/database-only mode.
Users may need to provide and store an Etherscan API key for full functionality.
The skill can use an Etherscan API key even though registry metadata declares no required env vars or primary credential. The key use is purpose-aligned, but under-declared.
api_key = get_api_key() ... 'API key not configured. Please run: ./setup.sh'
Use a dedicated low-privilege Etherscan key, avoid putting it in shared shell history, and ensure the registry declares the optional credential.
If enabled, the worker may continue making Etherscan API calls and updating the local database on a schedule.
The skill documents a continuous worker and scheduled cron sync. This is optional and user-directed, but it can keep running after setup.
python3 sync_worker.py # Runs continuously, processes queue ... Cron schedule (recommended): */10 * * * * ... ETHERSCAN_API_KEY="key" python3 sync_worker.py --max-jobs 30
Only enable the worker or cron job intentionally, set bounded job limits, monitor logs, and remove the schedule when no longer needed.
Installing the skill may add Python packages to a skill-local virtual environment.
The installer creates a local Python environment and installs dependencies, but the registry says there is no install spec. This is common for Python tools but should be declared.
python3 -m venv "$SKILL_DIR/venv" ... pip install --upgrade pip ... pip install -r "$SKILL_DIR/requirements.txt"
Review requirements.txt before installing, and ask the publisher to declare install requirements and dependency versions in registry metadata.
Your checked addresses and decoded transaction snippets may remain on disk under the local config directory.
The skill persists checked address data and decoded transaction messages in a local SQLite database. This is purpose-aligned caching, but it creates retained local history and stores untrusted blockchain text.
config_dir = Path.home() / ".config" / "crypto-genie" ... CREATE TABLE IF NOT EXISTS transactions (... input_data TEXT, decoded_message TEXT ...)
Protect or periodically delete the local database if address-check history is sensitive, and treat decoded transaction messages as untrusted data.