ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Chart

v1.0.0

Get cryptocurrency token price and generate candlestick charts via CoinGecko API or Hyperliquid API. Use when user asks for token price, crypto price, price...

0· 39·0 current·0 all-time
by@redf426
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual behavior: the script fetches price/ohlc data from CoinGecko and Hyperliquid, caches results, and renders PNG candlestick charts. Required binary (python3) and Python dependency (matplotlib) are appropriate and proportionate.
Instruction Scope
SKILL.md instructs only how to run the included script, copy the generated PNG into the workspace, send it via the message tool, and clean up. The instructions do not direct reading unrelated files, require extra credentials, or send data to unexpected endpoints. Note: outputs and caches are written to /tmp as documented.
Install Mechanism
No install spec (instruction-only) and a small requirements.txt (matplotlib) — low-risk. The code is bundled with the skill rather than downloaded at runtime; nothing is fetched from untrusted installers during install.
Credentials
The skill requests no environment variables, no credentials, and no config paths beyond /tmp for cache and chart files. Network access to api.coingecko.com and api.hyperliquid.xyz is required and consistent with the described data sources.
Persistence & Privilege
always:false and no self-modifying or cross-skill configuration. The skill does not request permanent elevated presence or access to other skills' configuration.
Assessment
This skill appears coherent and implements what it says: it needs python3 and matplotlib, and it fetches data from CoinGecko and Hyperliquid and writes caches/charts to /tmp. Before installing: ensure you are comfortable allowing outbound network calls to those APIs; confirm you will install matplotlib from a trusted source (pip); be aware that files are created in /tmp which on multi-user hosts can be readable by others; the SKILL.md mandates cleanup but verify the agent reliably removes temp files (leftover files could accumulate). The script shows some duplicated function definitions (likely sloppy copy/paste) — not necessarily malicious but may indicate rough maintenance. No credentials are requested and no obvious exfiltration endpoints are present.

Like a lobster shell, security has layers — review code before you run it.

latestvk979hkada0ap4g234d0mhz5bsn84v8ak

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binspython3

Comments