Back to skill
Skillv1.0.9
ClawScan security
TronScan Token Scanner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 27, 2026, 7:25 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions match its stated purpose (querying TronScan MCP APIs for token and TRX data); it appears coherent but lacks external provenance and will send user queries to an external MCP server, so review privacy before use.
- Guidance
- This skill appears to be what it says: a Tron/TronScan MCP-based token scanner. Before installing, note that queries (including any token contract addresses or account addresses the user provides) will be sent to the external MCP server listed in SKILL.md (https://mcp.tronscan.org/mcp). If you need to protect privacy or sensitive addresses, avoid sending them to third-party endpoints. Also be aware the skill has no listed homepage or repository — if provenance matters to you, try to verify the MCP domain and the skill author externally or test the skill with non-sensitive queries first. No credentials are requested, which reduces risk.
Review Dimensions
- Purpose & Capability
- okName/description (Tron token scanning) align with the documented APIs and tool names (getTokenPrice, getTrc20TokenDetail, getTrc20TokenHolders, etc.). There are no unexpected binaries, credentials, or config paths required for the stated functionality.
- Instruction Scope
- noteSKILL.md directs the agent to call an external MCP server (https://mcp.tronscan.org/mcp) and lists many token-related API endpoints — this is coherent for a token scanner. Note: runtime will send user-supplied contract addresses and queries to that external server (expected for networked lookups), which has privacy implications but is not out of scope for the skill's purpose.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This minimizes on-disk risk because nothing is downloaded or installed by the skill itself.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths, which is proportional for a public-data token scanner. There are no unexplained requests for secrets or unrelated service tokens.
- Persistence & Privilege
- okalways is false and autonomous invocation is allowed by default; neither is surprising. The skill does not request permanent or elevated system presence or modify other skills' config.