ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Holdings Monitor

v1.0.0

加密货币持仓监控工具。支持多钱包地址监控、实时价格查询、持仓统计。

0· 189·1 current·1 all-time
by@sxliuyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md advertises multi-wallet address monitoring, holdings/statistics, profit calculation, and scheduled alerts. The shipped script only stores wallet addresses in ~/.crypto-portfolio.json, prints stored addresses, and fetches USD prices from CoinGecko. It does not query blockchain balances, compute holdings or profits, or implement scheduled reporting. Also _meta.json mentions python3 as a required binary while the registry summary showed no required binaries—this metadata mismatch is incoherent.
!
Instruction Scope
Runtime instructions tell the agent/user to run python3 scripts/portfolio.py for add/view/refresh/report; that matches the code. However SKILL.md documents optional environment variables (BTC_COST, ETH_COST, etc.) and features (holdings,收益计算,定时播报) that the script does not actually use or implement, which is misleading. The script only contacts CoinGecko (api.coingecko.com) — no other external endpoints.
Install Mechanism
No install spec is present (instruction-only with a bundled Python script). This is low-risk from an installation perspective — nothing is downloaded at install time.
Credentials
The skill declares no required credentials or config paths and the code does not request secrets. SKILL.md lists optional COST environment variables for profit calculation, but the script does not read them. No unexplained credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It writes a single user file (~/.crypto-portfolio.json) to store wallet addresses, which is consistent with local state for this kind of tool.
What to consider before installing
This package is inconsistent: it promises wallet balance monitoring, profit calculation, and scheduled alerts, but the code only saves wallet addresses locally and fetches price data from CoinGecko. Before installing or using it, review the script yourself. Note it will create/modify ~/.crypto-portfolio.json (which will contain any wallet addresses you add). The tool contacts api.coingecko.com (no API keys required). Because the source and homepage are unknown, consider running it in an isolated environment or sandbox, or inspect/modify the code to implement the missing features (balance queries and profit calculations) before trusting it with production data. If you expected automatic on-chain balance fetching, this skill does not provide that — it may be incomplete or poorly maintained rather than malicious, but treat it with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk974zzn2rdtqwe5snhnvh3cbsx831d7n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments