ClawHub

Indexy

v1.0.0

Manage, create, update, and analyze custom crypto indices with detailed asset weights, methodologies, and performance metrics via API or Web3 authentication.

0· 600·0 current·0 all-time
byHugo@hsantana
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill name and description match the runtime instructions: it documents index creation, updating, analytics, and two authentication flows (API key and Web3). However, the registry metadata lists no primary credential or required env vars even though the SKILL.md describes explicit authentication methods—this is a metadata omission rather than a functional mismatch.
Instruction Scope
The SKILL.md stays on-task: it specifies API endpoints, request/response formats, rate limits, and authentication headers. It does not instruct the agent to read unrelated files, access unrelated environment variables, or exfiltrate data to domains other than the documented API/web app. It does require providing API keys or Web3 signatures (expected for this service).
Install Mechanism
This is an instruction-only skill with no install spec and no code files. Nothing will be written to disk by an installer—lowest-risk install posture.
!
Credentials
The skill describes two authentication mechanisms (Bearer API keys prefixed with 'agent_' and Web3 EIP-191 signatures) that require secret material (API keys or wallet private keys). Yet the registry metadata declares no required env vars or primary credential. The lack of declared credentials in metadata is an inconsistency that makes it unclear how the platform expects agents to provide/store keys securely.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not ask to modify other skills or global agent settings. Autonomous invocation is permitted by default but is not combined with other high-risk privileges here.
Assessment
This skill appears to be what it says: an API-driven crypto index manager. Before installing, confirm how the agent should supply credentials, because the registry metadata does not declare required env vars even though the docs require API keys or Web3 signatures. Prefer the API-key flow (create a scoped, revocable agent_ key on the platform) rather than handing your wallet private key to an agent. Verify the API and web domains (indexy.co for API, indexy.xyz for the web UI) and ensure TLS is used. If you plan to use Web3 auth, use a wallet you control and sign only the exact messages the service requires; never paste raw private keys into interfaces. If you need higher assurance, ask the publisher for explicit metadata (which env var to set, what minimal permissions a key should have) or request a link to a verifiable source repository or company homepage before granting any credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b7pk0q7k51jrs0q8b9mgq3h81d71m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments