Avalanche Analytics AVAX生态分析
Security checks across malware telemetry and agentic risk
Overview
This paid crypto analytics skill does not show wallet-draining or destructive code, but its advertised monitoring/investment analysis is under-supported by the packaged code and may present static data as if it were current.
Review carefully before installing or paying. Do not rely on the reported Avalanche TVL/APY figures as live market data, avoid downloading missing helper scripts from elsewhere, and only provide a wallet address if you accept the SkillPay verification data flow.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users could mistake static estimates for current Avalanche/DeFi data and make financial or staking decisions based on stale information.
The monitor describes itself as monitoring chain data and labels output with a current timestamp, but the protocol TVL/APY values are hard-coded in the source rather than fetched from live chain or market APIs.
"监控 Avalanche C-Chain 和子网数据" ... 'traderjoe': {'tvl': 1_200_000_000, ... 'apy': 18.5} ... 'timestamp': datetime.now().isoformat()Treat the analytics as illustrative unless the maintainer adds live data sources, freshness labels, and clear disclaimers for investment-related outputs.
Some documented functionality may fail or may tempt a user/agent to look for unreviewed replacement files elsewhere.
SKILL.md advertises helper scripts that are not included in the provided file manifest, which only contains payment.py and scripts/avalanche_monitor.py as code files.
`scripts/subnet_analyzer.py` ... `scripts/project_evaluator.py` ... `scripts/validator_calculator.py`
Do not fetch missing scripts from unknown sources; the maintainer should either include the referenced files or remove the commands.
The skill may require payment verification through the publisher's payment service, though no automatic crypto transfer or wallet signing is shown.
The skill bundles a credential-like SkillPay API key and uses it for payment verification. This appears aligned with the pricing metadata, but it is still account/payment authority embedded in the package.
SKILLPAY_API_KEY = "sk_f03aa..." ... "Authorization": f"Bearer {SKILLPAY_API_KEY}"Users should confirm the payment requirement before use; the publisher should avoid exposing long-lived secrets and clearly document the billing flow.
A wallet address used for verification may be shared with a third-party payment service and linked to use of this skill.
Payment verification can send a user wallet address and timestamp to the external SkillPay API.
SKILLPAY_API_URL = "https://api.skillpay.io/v1" ... "user_address": user_address, "timestamp": datetime.utcnow().isoformat()
Only provide a wallet address if you are comfortable with that data being sent to SkillPay; the skill should disclose this data flow in user-facing instructions.