Skillv1.0.3

ClawScan security

RootData Crypto · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 30, 2026, 7:46 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it only calls RootData endpoints and requires a single anonymous API key; nothing in the instructions or files requests unrelated credentials, installs, or system access.
Guidance: This skill appears to do what it claims: query RootData for crypto projects, investors, funding rounds, trending projects, and personnel moves. Before installing, confirm you trust api.rootdata.com and are comfortable with the agent storing a single API key (ROOTDATA_SKILL_KEY) in its environment/config. The SKILL.md instructs generating an anonymous key via /open/skill/init and saving it locally — verify how your agent platform persists environment variables and whether you need that key to be revocable. Note a minor metadata mismatch (the included _meta.json lists version 1.0.2 while the package is 1.0.3) — this looks like a packaging oversight, not a security issue. If you need stronger guarantees, ask the skill author or RootData for documentation about the permissions and lifecycle of keys created by /open/skill/init.

Review Dimensions

Purpose & Capability: okThe name/description (crypto project/investor/funding/personnel queries) matches the declared requirement (ROOTDATA_SKILL_KEY) and the SKILL.md exclusively documents calls to api.rootdata.com. No unrelated services, binaries, or credentials are requested.
Instruction Scope: okRuntime instructions are limited to calling RootData's documented endpoints and returning fields from those responses. The only cross-cutting action is creating/storing an anonymous key from /open/skill/init and using it in Authorization headers; the skill does not instruct reading other files, system paths, or unrelated environment variables.
Install Mechanism: okThere is no install spec and no code files to write or execute. This instruction-only skill does not download or install packages, minimizing on-disk risk.
Credentials: okThe skill requests a single environment variable (ROOTDATA_SKILL_KEY) which is proportional to the need to authenticate to the RootData API. The SKILL.md states the key is an anonymous, low-privilege key for public data endpoints—this matches the declared scope. Users should note the skill asks the agent to persist the key as an environment variable.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated privileges. It instructs the agent to save the returned api_key as an environment variable; depending on the host platform this may persist the key in agent configuration or memory. This behavior is expected for the skill's function but is worth confirming with your platform's persistence model.