Skillv3.4.5

ClawScan security

Aicoin Market · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 10, 2026, 6:28 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely implements its stated crypto-market-data purpose, but there are inconsistencies around credential handling and local .env access/writes that you should review before installing.
Guidance: This skill appears to implement the described AiCoin market-data features, but review these points before installing: - Credential mismatch: the metadata lists only AICOIN_ACCESS_KEY_ID, but the code requires AICOIN_ACCESS_SECRET as well. Ensure you supply both if you plan to use paid endpoints. - Embedded default keys: defaults.json embeds a free-tier accessKeyId and accessSecret in the repository. Treat those as public, rate-limited keys; if you prefer not to use them, override with your own keys in .env. - .env access and writes: the code auto-loads .env from the current working directory and from ~/.openclaw paths and the update_key command will write to one of those .env files. If you run commands from an unexpected cwd the skill may create/modify a .env file there. Consider running the skill in an isolated workspace and inspect the .env file the skill will use before writing secrets. - No network exfiltration detected: requests go to AiCoin endpoints and signing is done locally; I did not find evidence the skill uploads arbitrary local files or other secrets to external servers. Still, because it reads .env contents into the process environment, avoid running it in a directory where sensitive non-AiCoin secrets are stored in .env. Actions you can take: - Verify the source (the SKILL.md cites a GitHub repo; confirm it matches the repository you trust). - If you want to be cautious: remove or replace defaults.json with sanitized values, and create a dedicated workspace/.env for AiCoin keys only. - If you use update_key, confirm which .env file will be modified and back it up first. I rate this as 'suspicious' (not necessarily malicious) because of the credential/declaration mismatch and embedded default secret — both explainable but they warrant manual review before trusting the skill with your environment.

Review Dimensions

Purpose & Capability: okName/description match the code and scripts. The skill uses node scripts to fetch market data from AiCoin Open API and the listed scripts provide the features described (prices, kline, news, airdrops, Twitter, etc.). Requiring node is appropriate for the included JS CLI files.
Instruction Scope: noteSKILL.md correctly instructs the agent to run the provided node scripts and to avoid web_search/web_fetch for data. However the runtime code auto-loads .env files from multiple locations and the scripts can read those files (coin.mjs api_key_info scans .env and update_key writes to .env). That behavior is within the skill's purpose (to use/store AiCoin API keys) but broad .env auto-loading is worth noting because it brings other local environment variables into the skill's runtime context (the SKILL.md explicitly warns not to run 'env' to avoid leaks).
Install Mechanism: okNo external install/downloads; this is instruction+script based and only requires node to be present. No archived remote installs or untrusted URLs are used.
Credentials: concernRegistry metadata declares AICOIN_ACCESS_KEY_ID as the primary credential, but the code expects and uses both AICOIN_ACCESS_KEY_ID and AICOIN_ACCESS_SECRET (and falls back to values embedded in defaults.json). defaults.json contains a hard-coded accessKeyId and accessSecret (public/free-tier keys). The skill also auto-loads and may mutate .env files in multiple locations (cwd, ~/.openclaw/workspace/.env, ~/.openclaw/.env). Requesting/saving an API key is reasonable for this skill's purpose, but the metadata omission of the secret and the embedded credentials in defaults.json are inconsistent and worth scrutiny.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated platform privileges, but it will read and (when update_key is used) write .env files in the workspace/home locations. That means it can persist an API key on disk in your workspace configuration. This is expected for a key-management flow, but you should be aware it will create/modify files outside the skill source directory.