Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Kr Crypto Intelligence
v1.3.0Korean crypto market data + AI analysis for trading agents. 11 endpoints, 180+ tokens. Real-time Kimchi Premium, exchange intelligence, AI market read, and w...
⭐ 0· 100·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The tool's name and features (Korean crypto data, multiple endpoints, pay-per-call) align with the SKILL.md content and the listed MCP/API endpoints. However the SKILL.md claims open-source repo and many registry listings while the registry metadata provided here shows 'Source: unknown' and 'Homepage: none' — that mismatch is unexplained and reduces confidence in the publisher.
Instruction Scope
The runtime instructions are narrowly scoped: they provide MCP and REST endpoints and list exact parameters sent for each tool call. They do not instruct reading local files or env vars. The remaining concern: the SKILL.md asserts 'only tool call parameters' and 'no conversation history or prompts are forwarded' — that is a claim about what the MCP transport/platform does, not something the skill itself enforces. You should verify your MCP client/platform actually restricts what is sent.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. This is low-risk from an install/execution perspective.
Credentials
No environment variables, credentials, or config paths are requested by the skill. Payment is described as handled by the client's x402 transport layer; that is consistent with 'no credentials' but requires the platform to hold wallet keys centrally — verify that wallet credentials remain under your control and are not exposed to the skill.
Persistence & Privilege
always:false and normal invocation settings. The skill does not request persistent or elevated privileges. Note: autonomous invocation is permitted by default on the platform; the SKILL.md correctly recommends user-invoked only until billing behavior is confirmed.
What to consider before installing
Before installing: 1) Verify the claimed GitHub repo and API docs (confirm the repo/URL exist and match the code and license). 2) Confirm the domains (mcp.printmoneylab.com, api.printmoneylab.com) are legitimate (check TLS certs, WHOIS, and API docs) and that endpoints returned by the platform match SKILL.md. 3) Confirm your MCP client/platform will not forward conversation history or extra context — ask for or review implementation docs and test network traffic in a controlled environment. 4) Understand billing: set the skill to user-invoked only, create strict per-session and per-day spending limits in your MCP client, and test the x402 payment flow with a small budget. 5) Ensure wallet keys remain managed by your platform/client (not by the skill). 6) Because the registry metadata here lists no homepage/source while the SKILL.md claims many registrations, ask the publisher for verifiable registry entries and links; if they cannot provide them, treat the skill as higher risk. If you cannot validate these items, do not enable autonomous invocation and prefer testing in an isolated account or sandbox.Like a lobster shell, security has layers — review code before you run it.
latestvk976e4zkffrqw8mynzr4py2jsx84y8bp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.