Back to skill
Skillv1.0.3
ClawScan security
TronScan Realtime Network · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 1:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only connector that documents calling TronScan MCP endpoints for realtime TRON network metrics; its requirements and instructions are coherent with that purpose and it does not request unrelated credentials or install code.
- Guidance
- This skill is instruction-only and appears coherent: it simply directs the agent to call TronScan MCP endpoints for realtime TRON metrics. Before installing, verify the MCP server URL (https://mcp.tronscan.org/mcp) is the official/trusted endpoint you expect, understand that the skill will make outbound network calls to that host, and that heavy usage may require obtaining and configuring an API key in your MCP settings. Because there is no code bundled, the risk is limited to network calls — only proceed if you trust the MCP host and understand the data flows (no local files or unrelated credentials are requested). If you need stronger assurance, confirm the skill author (tronscan-mcp) and the MCP docs on the official TronScan site.
Review Dimensions
- Purpose & Capability
- okName/description (realtime TRON network metrics) match the SKILL.md: it lists specific MCP tools (getLatestBlock, getCurrentTps, getHomepageData, etc.) and explains which to call for each metric. There are no unrelated env vars, binaries, or config paths requested.
- Instruction Scope
- noteInstructions explicitly direct the agent to call a single external MCP server (https://mcp.tronscan.org/mcp) and to invoke named tools through TronScan MCP (tools/call). This is expected for the stated purpose, but it does require network access to that endpoint and may rely on an API key configured in MCP (the doc mentions adding an API key if rate-limited). The instructions do not request reading local files or unrelated credentials.
- Install Mechanism
- okNo install spec and no code files — instruction-only — so nothing is written to disk or fetched during install.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. The mention of obtaining an API key is advisory (for configuring MCP), not a requirement of the skill itself, so there is no disproportionate credential request.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or changes to other skills. It is user-invocable and can be invoked autonomously (platform default), which is appropriate for a data connector.