Back to skill
Skillv1.0.3
ClawScan security
TronScan Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 27, 2026, 7:25 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only TRON blockchain search helper that only describes using the TronScan MCP search API; its required actions and references are consistent with its stated purpose.
- Guidance
- This skill appears coherent and low-risk: it just instructs the agent to use TronScan's MCP search API to look up tokens, contracts, accounts, transactions, or blocks. Before installing: 1) Verify the MCP endpoint (https://mcp.tronscan.org) is the official TronScan service you expect; 2) Do not supply private keys or unrelated credentials — the skill only needs a public API key (optional) for rate limits; 3) If you plan to add an API key in your MCP configuration, use a key scoped to TronScan and avoid reusing high-privilege secrets; 4) Be aware the agent will make network requests to the TronScan MCP service when invoked, so consider data privacy for any search terms you send (addresses and contract names are public, but avoid sending private identifiers).
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: SKILL.md describes searching tokens/contracts/accounts/tx/blocks and references a TronScan MCP search tool. Nothing requested (no env vars, no binaries, no install) is unrelated to blockchain lookup.
- Instruction Scope
- okInstructions are narrowly scoped to calling the 'search' tool via TronScan MCP, handling result fields (e.g., token_id, tokenCanShow), and basic troubleshooting (MCP connectivity, rate limits). The doc does not instruct reading local files, unrelated env vars, or exfiltrating data to unknown endpoints.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files — lowest-risk installation model. It references the public MCP server (mcp.tronscan.org) as the service endpoint, which is appropriate for the described functionality.
- Credentials
- okThe skill requires no environment variables or credentials. It mentions optional API keys for the TronScan Developer API only in the context of MCP configuration to avoid rate limits — this is proportional and expected. It does not request unrelated secrets.
- Persistence & Privilege
- okSkill does not request always:true and is user-invocable only. There is no indication it modifies other skills or system settings. Autonomous invocation is allowed (platform default) but not combined with other red flags.