Back to skill
Skillv1.0.6
ClawScan security
TronScan Data Insights · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 28, 2026, 1:56 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only TRON analytics helper that calls Tronscan MCP APIs and its requested capabilities and resources align with its stated purpose, but it will send user queries to an external MCP server (privacy consideration).
- Guidance
- This skill appears coherent for TRON network analytics: it only contains instructions to query the Tronscan MCP APIs and requires no installs or secrets. Before installing, consider that any addresses, tokens, or other query parameters you ask the agent to analyze will be sent to the external MCP server (https://mcp.tronscan.org). Do not submit private keys, wallet seeds, or other sensitive secrets. If you need to analyze sensitive or private data offline or avoid external telemetry, request a self-hosted/data-only alternative or confirm the MCP provider's privacy policy and data retention practices.
Review Dimensions
- Purpose & Capability
- okThe name/description (TRON network insights) matches the SKILL.md APIs and listed functions (new accounts, tx stats, hot tokens, top accounts, TVL, etc.). There are no unrelated environment variables, binaries, or install steps requested that would be disproportionate to the described functionality.
- Instruction Scope
- noteSKILL.md instructs the agent to call an external MCP server (https://mcp.tronscan.org) and specific Tronscan endpoints (getDailyNewAccounts, getHotSearch, getTop10, etc.). This is consistent with the purpose, but user-provided queries (addresses, tokens, time ranges) will be transmitted to that external endpoint—so there is a privacy/telemetry implication. The doc explicitly warns about DAU vs newAddressSeen which shows reasonable scope control. No instructions ask the agent to read local files, credentials, or unrelated system state.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. Nothing is written to disk or downloaded by the skill itself, minimizing installation risk.
- Credentials
- okNo environment variables, credentials, or config paths are required. The skill does not request unrelated secrets or system access—requested capabilities are proportionate to a read-only analytics skill that queries public APIs.
- Persistence & Privilege
- okalways:false (default) and the skill is user-invocable. It does not request permanent presence or modification of other skills/configs. Autonomous invocation is allowed by default but not excessive here.