Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Solana Analytics Pro 专业Solana分析
v1.0.0专业级 Solana 综合分析工具。提供技术面分析、链上数据洞察、市场情绪监控、投资组合管理和交易信号生成。当用户需要深度分析 Solana 项目、生成交易信号、管理加密投资组合、进行风险评估或获取专业级市场报告时触发此 Skill。
⭐ 0· 18·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes a coherent Solana analytics product (TA, on-chain metrics, sentiment, portfolio, signals). However, the document expects local Python scripts (scripts/*.py) and integration with many external data providers (Helius, Solscan, TradingView, Twitter/X, etc.). The skill package contains no code files and declares no required credentials or binaries, so required capabilities to deliver the described features are missing from the bundle.
Instruction Scope
Instructions reference running specific scripts (e.g. scripts/comprehensive_analyzer.py, scripts/signal_generator.py), reading input files (portfolio.json), tracking wallet addresses and sending alerts, and calling third‑party APIs. There are no instructions about where alerts are delivered, how API keys are provided, or what files/paths the agent may read. This gives the agent wide, unspecified discretion and depends on missing artifacts — a scope creep / incoherence risk.
Install Mechanism
No install spec is provided (instruction-only). That limits direct supply-chain risk from arbitrary downloads. However, because the instructions assume local scripts and external integrations, the absence of an install step means required code and dependencies are not packaged, which is an operational inconsistency rather than a direct install risk.
Credentials
The SKILL.md expects use of multiple external services (TradingView, Helius, Solscan, Twitter/X, LunarCrush, Santiment, etc.) that typically require API keys, but the skill declares zero required environment variables and no primary credential. This is disproportionate: data access and alerting features would normally require declared credentials and scopes. The lack of declared env vars or guidance is a red flag.
Persistence & Privilege
The skill does not request always:true, does not declare special config paths, and is user-invocable. There is no evidence it attempts to persistently modify agent/system configuration. Persistence/privilege level appears reasonable.
What to consider before installing
Before installing or enabling this skill: 1) Do not supply any secret keys (exchange keys, wallet private keys, or broad API tokens) until the publisher provides a clear list of required credentials and scopes. 2) Ask the author for the missing code referenced by SKILL.md (scripts/*.py) and review those scripts for network endpoints, data exfiltration, and secret handling. 3) Require the skill manifest to declare required environment variables and minimal scopes (read-only API keys where possible). 4) Verify where alerts/outputs are sent (email, webhook, external service) and confirm you control those endpoints. 5) If you must test, run it in an isolated/sandbox environment with limited, revocable credentials. 6) If the publisher or source is unknown or cannot supply auditable code and credential requirements, treat the skill as untrusted and avoid granting access to sensitive accounts or secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk97b21yx8wm72078r0vm93krm5847emm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.