ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Web3 Target Team Research

v1.0.1

Find crypto/web3 teams with $10M+ funding and verified Telegram contacts. Use when hunting for crypto leads, building contact lists, researching funded startups, or prospecting web3 companies. Spawns parallel subagent hunters to search VC portfolios and verify TG handles.

0· 1.8k·0 current·0 all-time
by@shwchlorine
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The stated purpose (hunt for $10M+ crypto teams and verify Telegram handles) is coherent with instructions to search VC portfolios, check funding, and verify t.me profiles. However, the skill repeatedly references absolute local paths (/Users/derrick/clawd/crypto-master.csv, etc.) and workspace files (HEARTBEAT.md) tied to a specific user, which is not justified by the generic skill description and suggests the instructions expect access to a particular user's filesystem. That hard-coded path is disproportionate and unlikely to work for other users.
!
Instruction Scope
SKILL.md and referenced templates instruct the agent to spawn parallel subagents (sessions_spawn), create cron jobs to auto-respawn hunters every 10 minutes, continually retry and 'never stop', update HEARTBEAT.md, and read/write master CSVs. They also direct the agent to fetch web pages and take screenshots of Telegram profiles. The automation and persistent respawn behavior is open-ended and broad; the files and system commands referenced (grep/cat on absolute paths) reach outside a minimal, purpose-limited scope.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no downloaded code or package install risk. That lowers the risk of arbitrary code being written to disk. The remaining risk comes from the runtime instructions the agent will execute.
!
Credentials
The skill declares no environment variables or credentials, which at first glance is appropriate. However, it instructs reading/writing CSVs at hard-coded absolute paths and editing HEARTBEAT.md, which implies access to local files that are unrelated to the declared workspace. The lack of declared env/config requirements but simultaneous reliance on specific user files is a mismatch and could cause the agent to attempt to access sensitive local data or fail in unexpected ways.
!
Persistence & Privilege
Although always:false (not force-installed), the instructions explicitly direct creating a cron job to check and respawn subagents every 10 minutes and to 'RUN 24/7 UNTIL DERRICK SAYS STOP'. That grants the skill effective continuous autonomous operation if the platform honors the cron and sessions_spawn calls. Persistent auto-respawn behavior combined with autonomous subagent spawning increases blast radius and should be treated cautiously.
What to consider before installing
This skill appears to do what it says (hunt funded Web3 teams and verify Telegram handles), but it contains multiple red flags you should consider before installing: - Hard-coded local paths: The instructions reference /Users/derrick/... CSVs and HEARTBEAT.md. Confirm whether the skill will be run in an isolated workspace or if it will try to read/write files in your home directory. If you don't know why those paths are present, don't install or ask the author to generalize to workspace-relative paths. - Persistent, autonomous behavior: The skill tells the agent to create a cron job and continuously respawn subagents (24/7). If installed, it could run indefinitely and spawn many subagents. Limit installation to manual/invokable-only use or require human approval for spawning jobs. - File access and privacy: The skill instructs using cat/grep on CSVs and updating HEARTBEAT.md — verify what files the agent can access. If your environment grants broad filesystem access, this could expose unrelated data. - Platform capabilities: The instructions assume platform functions like sessions_spawn, sessions_list, cron({...}), and web_fetch screenshots. Confirm whether your environment supports those APIs and what permissions they grant. If those APIs can create persistent jobs or spawn many subagents, consider restricting or monitoring them. - Operational/ToS considerations: The skill scrapes Telegram profiles and takes screenshots. Ensure this behavior aligns with legal/ToS rules for the sites you target. Recommendations: only run this skill in a sandboxed environment, require manual invocation rather than auto-respawn, remove or change hard-coded absolute paths to workspace-relative locations, and require human confirmation before spawning subagents or adding cron jobs. If you need continuous operation, get explicit documentation on how the cron/session APIs behave and what limits you can apply (rate limits, maximum subagents, logging, and stop procedures).

Like a lobster shell, security has layers — review code before you run it.

latestvk975wm9dv3d6saf419d3vtpxmx7zzk2n
1.8kdownloads
0stars
2versions
Updated 14h ago
v1.0.1
MIT-0
@shwchlorine
latest
Download

Web3 Target Team Research

Find well-funded crypto teams ($10M+) with verified Telegram contacts for outreach.

Quick Start

Hunt for crypto teams from [SOURCE]

Example sources: Paradigm portfolio, recent funding news, Solana ecosystem, DeFi protocols

How It Works

  1. Spawn hunters - Parallel subagents search different VC portfolios/sources
  2. Find teams - Filter for $10M+ funding, check if already tracked
  3. Verify TG - Screenshot t.me/{handle}, require pfp OR bio with company affiliation
  4. Add to CSV - Append verified contacts to master CSV

Commands

Start Hunting

Start crypto hunters targeting [SOURCES]

Spawns 3 hunters with specified focus areas.

Check Status

How many teams do we have?

Returns count from crypto-master.csv.

Stop Hunting

Stop the crypto hunters

Removes the auto-respawn cron job.

CSV Format

Master CSV: crypto-master.csv

Name,Chain,Category,Website,X Link,Funding,Contacts
Uniswap,ETH,DEX,https://uniswap.org,https://x.com/Uniswap,$165M,"Hayden Adams (Founder) @haaboris"

No-Contacts CSV: crypto-no-contacts.csv (teams researched but no valid TG found)

Chain values: ETH, SOL, BASE, ARB, OP, MATIC, AVAX, BTC, MULTI, N/A

TG Verification Rules

A TG handle is valid if the profile has:

  • Profile picture (pfp), OR
  • Bio mentioning the company/role

Invalid: Empty profiles, wrong person, channels instead of personal accounts

Hunter Task Template

See references/hunter-task.md for the full subagent task template.

Auto-Hunting Setup

To run hunters continuously:

  1. Create a cron job that checks hunter count every 10 minutes
  2. Add to HEARTBEAT.md to auto-respawn if < 3 hunters active

See references/auto-hunt-setup.md for cron configuration.

Best Sources (by success rate)

High yield (~40%+ TG conversion):

  • Consumer/DeFi protocols (Paradigm, Dragonfly, Framework)
  • Bridge/interop projects
  • Security/auditing firms

Medium yield (~20-30%):

  • Gaming/NFT (Animoca, Immutable)
  • L2s and infrastructure
  • Asia-focused VCs (Hashed, OKX Ventures)

Low yield (<20%):

  • Enterprise/institutional (Point72, Tiger Global)
  • Oracles and data providers
  • Social/community platforms

Tips

  • Always grep -i "TeamName" both CSVs before adding
  • Team members often have different X vs TG handles
  • Founders have lower TG presence than BD/marketing roles
  • Recent funding announcements = fresher, more findable contacts

Comments

Loading comments...