Skillv1.0.0

ClawScan security

solscan-market-by-solscan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 6, 2026, 3:37 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill legitimately implements Solscan Pro API calls but its metadata is inconsistent with the shipped code: it fails to declare required environment variables (SOLSCAN_API_KEY) and runtime prerequisites (python3 + requests), which is a material coherence issue the user should resolve before installing.
Guidance: This skill appears to implement the Solscan Pro API correctly, but its published metadata omits required runtime information. Before installing or providing secrets: (1) ask the publisher to update the registry to list SOLSCAN_API_KEY as a required environment variable (and declare it as the primary credential), and to list required binaries/dependencies (python3 and the 'requests' package); (2) only provide an API key with minimal required scope, rotate the key later, and monitor API usage/quotas; (3) run the skill in an isolated environment or sandbox if possible; (4) inspect the included script yourself — it appears to only contact pro-api.solscan.io, but you should verify there are no hidden endpoints or obfuscated code; (5) if the publisher cannot or will not correct the metadata, treat the package as untrusted and avoid supplying secrets to it.

Review Dimensions

Purpose & Capability: concernSkill name/description match the included implementation: the Python script and SKILL.md call the Solscan Pro API. However, the published registry metadata declares no required environment variables or binaries, while the script requires an API key (SOLSCAN_API_KEY) and is invoked with python3. The missing declarations are disproportionate to the stated purpose and reduce transparency.
Instruction Scope: concernSKILL.md instructs callers to run `python3 scripts/solscan.py` and to provide an API token; the script reads SOLSCAN_API_KEY from the environment and only makes HTTPS requests to https://pro-api.solscan.io/v2.0. While the runtime actions are consistent with the described purpose, the instructions access an environment secret that is not listed in the registry metadata — a scope mismatch that should be corrected.
Install Mechanism: noteThere is no install spec (low-risk) and the package includes the Python script directly. That is reasonable, but the package does not declare runtime dependencies (python3 or the 'requests' package). This will cause runtime failures unless the environment already satisfies those dependencies.
Credentials: concernThe code requires a single credential (SOLSCAN_API_KEY) to operate. Requiring one API key is proportional to the task, but the registry declares no required env vars or primary credential. The undeclared use of an environment secret is a transparency and safety concern (users won't know what secret they're expected to provide).
Persistence & Privilege: okThe skill is not marked 'always:true' and uses the platform default for invocation. It does not request persistent system-wide privileges or modify other skills. Autonomous invocation is enabled by default (expected) but not combined with other high-risk flags.