Back to skill
Skillv1.0.3
ClawScan security
BTC Signals Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 4:06 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are consistent with a simple API integration for Bitcoin market data and require only a single service API key as expected.
- Guidance
- This skill appears coherent, but treat the BTC_SIGNALS_API_KEY like any sensitive API key: verify the API domain and repository (https://api.btcsignals.pro and the GitHub homepage) before entering your key; never paste the key into public chats; consider creating a dedicated/limited key if the provider supports it; be cautious about using automated order-execution based solely on signals (implement stop-losses and independent checks); review the provider's pricing, terms, and data-retention/privacy policies; rotate the key if you suspect exposure.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions and declared requirements: the skill only needs an API key (BTC_SIGNALS_API_KEY) to call documented btcsignals.pro endpoints and expose market/trade data.
- Instruction Scope
- okSKILL.md instructs only HTTP calls to the documented base URL, key usage via X-API-Key, and checks like GET /v1/account. It does not instruct reading local files, other env vars, or contacting unexpected endpoints.
- Install Mechanism
- okNo install spec or code is included (instruction-only). Nothing is downloaded or written to disk by the skill bundle itself, minimizing install-time risk.
- Credentials
- okOnly a single service credential (BTC_SIGNALS_API_KEY) is required and is consistent with the described API usage. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okSkill is not always-enabled and uses normal autonomous invocation settings. It does not request elevated platform persistence or modifications to other skills/configs.