ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Alpha Scanner

v1.0.0

Automated crypto market intelligence - prices, sentiment, trending coins, and Polymarket hot markets. Zero dependencies, 100% reliability. Perfect for alpha channels and market monitoring.

0· 1k·4 current·4 all-time
byCassh@cassh100k
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (crypto market intelligence) matches the included Python script and SKILL.md: it fetches prices from CoinGecko, fear/greed from alternative.me, and Polymarket markets. There are no unexplained credentials, binaries, or unrelated capabilities requested.
Instruction Scope
SKILL.md instructs the user to run the included script and optionally pipe output to a shell posting script; the script only performs HTTP GETs to public APIs and formats output. Instructions reference adding a cron job and an example post_telegram.sh (not provided) — nothing in SKILL.md or the script attempts to read system files, environment secrets, or other data.
Install Mechanism
No install spec; this is instruction-only plus a small Python script that uses only the stdlib (urllib, json, datetime). No downloads, package installs, or archive extraction are performed.
Credentials
The skill requires no environment variables, keys, or config paths. The SKILL.md example references a post_telegram.sh that would require a bot token if used, but that script is not included and no credential is requested by the skill itself.
Persistence & Privilege
always is false and the skill does not request persistent agent presence or modify other skill/config state. The only persistence suggestion is a user cron example (user-managed). The script itself does not write files or alter system configuration.
Assessment
This skill appears coherent and uses only public API calls (CoinGecko, alternative.me, Polymarket). Before installing/running: 1) be aware it will make outbound HTTP requests (your machine's IP and timing will be observable by those APIs); 2) the SKILL.md references piping output to a post_telegram.sh script that is not provided — review any posting scripts you add, since they will need a Telegram token and could transmit data; 3) the cron example writes to /var/log which may require elevated permissions — avoid running scheduled jobs as root unless intended; 4) ignore marketing claims like “100% reliability”; real-world APIs can fail or rate-limit. If you want extra caution, run the script in a restricted environment (container) or inspect/modify scripts before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk975x2jdr3sw14pvckgxmrr01n80zts1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments