ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Market Data Skill (No Key Required)

v1.0.2

No API KEY needed for free tier. Professional-grade cryptocurrency and stock market data integration for real-time prices, company profiles, and global analytics. Powered by Node.js with zero external dependencies.

9· 10.7k·83 current·91 all-time
byLiam@liam8
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (fetching crypto & stock market data) aligns with the included scripts and the single API client; no unrelated binaries, credentials, or heavy installs are requested.
Instruction Scope
SKILL.md instructs running the included Node.js scripts and documents the token flow and the token endpoint (https://api.igent.net/api/token). The implementation additionally honors an undocumented API_BASE_URL environment variable (overrides BASE_URL), which SKILL.md does not mention — small documentation mismatch that could be used to change the remote endpoint.
Install Mechanism
There is no install spec and package.json declares no dependencies — the scripts use only Node.js standard libs as claimed, so nothing is downloaded or written during install. Risk from install mechanism is low.
Credentials
The skill does not request credentials or environment variables in metadata. The only implicit env var in code is API_BASE_URL (optional override) and an optional process.env.API_BASE_URL is used to set the remote endpoint; no secret/env requirements are demanded up front.
Persistence & Privilege
The api client writes a local '.token' file under the scripts directory to persist temporary tokens. This is expected for session reuse but is persistent state written to disk and should be treated as sensitive (contains token and expires_at). The skill is not force-enabled (always: false) and does not modify other skills.
Assessment
This skill appears to do what it says (market data queries) and does not ask for your private credentials, but it connects to an external service (https://api.igent.net by default) and writes a session token to a hidden .token file in the skill directory. Before installing or running it: 1) Verify you trust api.igent.net or the skill's origin (no homepage/source listed). 2) Run it in a sandbox or low-privilege environment first so the token file and network calls are isolated. 3) Inspect the .token file contents and remove it if you no longer want persisted tokens. 4) Be aware that setting API_BASE_URL (an undocumented override present in code) can redirect requests to another endpoint — avoid running in sensitive environments where that could be abused. If you cannot confirm the provider's reputation, treat it as untrusted code and avoid running it on machines with sensitive data or credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9745qrvy2bnwfk4txnn3chg1x81344e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments