ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bitcoin Daily

v1.3.2

Daily digest of the Bitcoin Development mailing list and Bitcoin Core commits. Use when asked about recent bitcoin-dev discussions, mailing list activity, Bitcoin Core code changes, or to set up daily summaries. Fetches threads from groups.google.com/g/bitcoindev and commits from github.com/bitcoin/bitcoin.

2· 2.5k·5 current·5 all-time
by@clawd21
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the script fetches bitcoindev threads and bitcoin/bitcoin commits, summarizes and archives them. No unrelated credentials, binaries, or services are requested.
Instruction Scope
SKILL.md tells the agent to run the included node script to fetch, summarize, and archive data. The script only accesses public endpoints (groups.google.com, a gnusha.org mirror, and api.github.com), writes archive files to ~/workspace/bitcoin-dev-archive, and outputs a summary. The use of child_process.execSync to fetch Google Groups HTML is unusual but consistent with trying to retrieve page HTML; it does not read unrelated local files or transmit data to unexpected external endpoints.
Install Mechanism
There is no install spec and no external downloads; the skill is instruction + an included script. Nothing is fetched from non-standard hosts during install.
Credentials
The skill declares no required environment variables or credentials. The script uses process.env.HOME to build an archive path (normal). It makes unauthenticated GitHub API calls (rate-limited) but asks for no secrets.
Persistence & Privilege
always is false and the skill does not request permanent platform presence or modify other skills. It writes only to its own archive directory under the user's HOME; this is expected for an archiving digest.
Assessment
This skill appears to do what it says: fetch public mailing-list threads and GitHub commits, archive them under ~/workspace/bitcoin-dev-archive, and produce summaries. Things to consider before installing: (1) the script will create files in your HOME workspace—inspect and choose whether that path is acceptable; (2) it makes unauthenticated requests to the GitHub API (you may hit rate limits if used frequently); (3) it uses child_process.execSync to fetch Google Groups HTML (fragile but not inherently malicious); (4) since the skill can be run by the agent, review the included scripts yourself or run them in a sandbox if you have any doubts. No secrets are requested, and there are no external download URLs or hidden endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk977v55e64e0sdrrqbqjpe9f3s804yw1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📰 Clawdis

Comments