ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mcp-crypto-data

v1.0.0

Real-time cryptocurrency prices, network fee estimates, and Lightning Network statistics via L402 API. Use when agents need crypto market data, fee planning,...

0· 12·0 current·0 all-time
by@haveblue997
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the included Node MCP server fetches prices, fees, and Lightning stats from an external API. That functionality reasonably explains requiring a base API URL and npx for on-demand execution. However metadata mismatches (package/author names differ across files) and a missing homepage/source reduce trust.
!
Instruction Scope
SKILL.md instructs setting L402_API_BASE_URL, but the actual code reads NAUTDEV_BASE_URL (and falls back to https://api.nautdev.com). This means the runtime instructions/environment declaration are incorrect and the agent may talk to an unexpected default endpoint. Otherwise the instructions do not ask the agent to read local files or other secrets.
Install Mechanism
No formal install spec is included (instruction-only), and the SKILL.md shows running the package via npx. The package files are present in the bundle (src/dist/package.json), so code will be executed if installed. Using npx will fetch the package from the registry at runtime — verify the package identity on the registry before running.
!
Credentials
The skill declares L402_API_BASE_URL as required, but the code uses NAUTDEV_BASE_URL or a hardcoded default. There are no credentials requested for the L402 micropayments mention (which may be expected), but the env-var mismatch and the hardcoded default API host risk accidental data flow to an endpoint the user did not intend.
Persistence & Privilege
always is false and the skill does not request persistent system-wide configuration or other skills' credentials. It runs as an MCP server process and only contacts the external API; it does not modify system files or other skills' settings.
What to consider before installing
Do not install blindly. Before using this skill: 1) Verify the package and author on the npm registry (package.json name is @vbotholemu/mcp-crypto-data but README references @blue-trianon) and confirm the publisher is trustworthy. 2) Confirm which environment variable the published package actually reads (NAUTDEV_BASE_URL vs L402_API_BASE_URL) and whether the default API host (https://api.nautdev.com) is acceptable. If you intend to use a different endpoint, set the correct env var expected by the code. 3) Because SKILL.md and code disagree, prefer installing and inspecting the package locally (review dist/index.js) before running npx in a production environment. 4) No secret credentials are requested by the skill, but remember that any queries (coin symbols, etc.) will be sent to the remote API — avoid sending private or sensitive data to it. 5) If you need stronger safety, ask the publisher for a source repository and signed release, or run the code in an isolated environment and/or pin a specific vetted package version.
dist/index.js:7
Environment variable access combined with network send.
src/index.ts:7
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976gmr61qhb3wwqd06t31hzmx841s9c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binsnpx
EnvL402_API_BASE_URL

SKILL.md

Crypto Data (L402)

Real-time cryptocurrency data — prices, fees, and Lightning Network stats.

Setup

{
  "mcpServers": {
    "crypto-data": {
      "command": "npx",
      "args": ["-y", "@vbotholemu/mcp-crypto-data"],
      "env": {
        "L402_API_BASE_URL": "https://api.nautdev.com"
      }
    }
  }
}

Tools

get_crypto_price

Real-time price for any supported cryptocurrency.

get_network_fees

Current transaction fee estimates for Bitcoin and other networks.

get_lightning_stats

Lightning Network statistics — node count, channel count, total capacity.

When to Use

  • Portfolio monitoring and price checks
  • Transaction fee estimation before sends
  • Lightning Network health monitoring
  • Market data for trading agents

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…