ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Luzia Crypto API

v1.0.0

Use this skill whenever the user wants to fetch cryptocurrency prices, stream real-time market data, list exchanges or markets, or retrieve historical OHLCV...

0· 4·0 current·0 all-time
by@hvasconcelos
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the SKILL.md (fetch prices, market lists, OHLCV, WebSocket streaming). However, SKILL.md repeatedly states authentication is required (Authorization: Bearer lz_<key>) while the skill manifest lists no required environment variables or primary credential. This inconsistency is unexpected: a client that calls authenticated endpoints would normally declare a primary env var or require the API key.
Instruction Scope
The instructions are scoped to calling Luzia REST endpoints and the Luzia WebSocket URL and include example request/response shapes and client snippets. They do not instruct the agent to read unrelated files, system credentials, or exfiltrate data to third-party endpoints beyond api.luzia.dev/wss. The only notable runtime action is opening network connections to the Luzia API.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk and no external packages are pulled in. Low install risk.
!
Credentials
The SKILL.md requires an API key (lz_... format) for all endpoints, but the manifest declares zero required env vars or primary credential. This mismatch could lead the agent to prompt the user for credentials ad hoc or to attempt to operate without authentication. The documented need for WebSocket (streaming) access is also not reflected in any declared network or permission expectations.
Persistence & Privilege
The skill does not request persistent presence (always is false), does not modify other skills or system settings, and declares no config paths. Normal privilege level for an API integration.
What to consider before installing
This skill looks like a normal API integration for Luzia, but the SKILL.md requires an API key (Authorization: Bearer lz_<key>) even though the manifest lists no required credentials. Before installing or invoking it, be prepared to: (1) supply your Luzia API key only if you trust the service and understand how the agent will use/store it, (2) confirm you are comfortable the agent will open network connections to api.luzia.dev and its WebSocket endpoint, and (3) ask the skill author or registry to declare the API key as a required credential (or document how the agent will securely obtain and handle the key). If you don't want the agent to handle secrets interactively, do not provide your API key and instead query public data sources that don't require authentication.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b93tmnmz25yvq52rj67tc2d84m4hp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments