Back to skill
Skillv1.0.0
ClawScan security
Crypto Portfolio Tracker API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 14, 2026, 1:11 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match a straightforward crypto portfolio tracker using the Prism API; however, there are metadata/name inconsistencies you should verify (publisher/package) before installing.
- Guidance
- This package appears to be a normal crypto portfolio tracker that queries prismapi.ai for prices. Before installing: 1) Verify the npm package and publisher (package name in SKILL.md/package.json vs. skill.json mismatch) — install only from the official npm/org you expect. 2) Inspect the package on the npm registry or its GitHub repo to confirm the source and recent activity. 3) If you provide a PRISM_API_KEY, ensure it is a scoped API key (no private wallet keys) and understand it will be sent to https://api.prismapi.ai. 4) Prefer installing in an isolated environment and review the package code (src/index.js) for any unexpected network endpoints. If you cannot confirm the publisher or repository, treat the metadata inconsistencies as a red flag and avoid installing until provenance is confirmed.
Review Dimensions
- Purpose & Capability
- noteThe code implements the described portfolio-tracking functionality (price lookups, valuation, P&L). However, repository/package/author metadata is inconsistent across files: package.json lists name "crypto-portfolio-tracker-api" and author "OpenFinance <hello@prismapi.ai>", skill.json references "strykr-portfolio-tracker" and npm "@strykr/portfolio-tracker", README/CLI text refer to Strykr/Prism. These naming and metadata mismatches are not themselves malicious but are incoherent and warrant verification of the package origin.
- Instruction Scope
- okSKILL.md contains only installation and usage instructions for the library and CLI (npm install, API calls). It does not instruct reading unrelated system files, secrets, or exfiltrating data. CLI help notes an optional PRISM_API_KEY for higher rate limits, which is consistent with the code.
- Install Mechanism
- okNo install spec in the registry (instruction-only), and SKILL.md instructs installing the npm package. The provided code has no external installers or downloads and package.json lists no external dependencies—no high-risk install behavior observed.
- Credentials
- noteThe code optionally reads PRISM_API_KEY from process.env.PRISM_API_KEY for higher rate limits but the registry metadata declared no required env vars. This is reasonable (optional key) but you should be aware the package will use an API key if provided. No other credentials or sensitive env vars are requested.
- Persistence & Privilege
- okThe skill does not request persistent/privileged presence (always: false). It does not modify other skills or system configuration and has no install-time scripts in the manifest that would grant elevated privileges.