Back to skill
Skillv1.0.0
ClawScan security
Crypto Daily Report (中文) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 12:35 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, scripts, and runtime instructions are consistent with a crypto daily-report generator and delivery tool; nothing requests unexplained credentials or installs arbitrary code.
- Guidance
- This skill appears to do what it says: collect public crypto data, format a report, and send it to messaging channels. Before installing: 1) Confirm you have the onchainos CLI and understand whether it needs credentials; the skill does not declare any env vars but some data feeds (CoinGlass fallback) may need API keys. 2) Review and change any example channel IDs (the README uses -1002009088194) so you don't accidentally send reports to someone else's Telegram group. 3) Inspect the scripts locally before running them (they are informational reference implementations). 4) If you plan to enable scheduled delivery, explicitly approve the cron setup and the target channel. 5) Prefer installing from a known source/repo (the skill lists a GitHub author in the license/README but registry 'Source' and homepage are empty); verify the upstream repository if possible.
Review Dimensions
- Purpose & Capability
- okName/description (crypto daily reports + scheduled delivery) match the provided scripts and SKILL.md. Required tools referenced (onchainos CLI, curl, web_fetch/web_search, cron, message) are coherent with fetching prices, news, calendar, and sending to messaging channels.
- Instruction Scope
- okSKILL.md instructs the agent to fetch market data (onchainos, web_search, web_fetch), call a public REST API (alternative.me), assemble a report, and send it via the agent's message tool or cron. It does not instruct reading arbitrary local files, harvesting unrelated env vars, or posting data to unknown third‑party endpoints beyond documented news/data sources.
- Install Mechanism
- okNo install spec is provided (instruction-only skill with bundled scripts). There are no downloads from external URLs or archive extraction steps—scripts are local reference implementations, not remote installers.
- Credentials
- noteThe skill declares no required env vars or credentials, which matches most of the content. Note: some referenced data sources (optional CoinGlass API) or the onchainos CLI may require API keys or auth in practice; those credentials are not declared by the skill. The absence of declared env vars is not malicious but you should be prepared to provide keys for services you expect to use.
- Persistence & Privilege
- okalways:false and no attempt to modify other skills or system-wide agent config. Cron setup is documented and requires explicit user action (or explicit agent command) to schedule delivery.