ClawHub

TrueNorth Crypto Intelligence

Security checks across malware telemetry and agentic risk

Overview

This appears to be a read-only crypto data skill, with the main caveats that it installs a floating npm CLI and sends user query text to TrueNorth's API.

This skill is reasonable for read-only crypto market analysis. Before installing, be comfortable with installing the TrueNorth npm CLI and with your query text being sent to TrueNorth's API; avoid including wallet addresses, secrets, or sensitive personal financial details in prompts.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the skill may install a version of the TrueNorth CLI that differs from the version reviewed in the registry metadata.

Why it was flagged

The skill relies on a globally installed npm package using a floating latest version, so the installed CLI can change over time. This is central to the skill's purpose and is disclosed, so it is a note rather than a concern.

Skill content
"package": "@truenorth-ai/cli@latest", "global": true, "bins": ["tn"]
Recommendation

If you need strict supply-chain control, review the npm package and consider pinning a specific CLI version before installing.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Your crypto query text, and any personal trading details you include in it, may be sent to TrueNorth's public API.

Why it was flagged

For token-specific queries, the workflow sends the user's full message to the CLI/API for entity recognition. The artifact also states that commands call the public TrueNorth API.

Skill content
tn ner "<user's full message>" --json
Recommendation

Avoid including private financial details, wallet addresses, secrets, or account information in queries unless you are comfortable sharing that text with the service.

#
ASI02: Tool Misuse and Exploitation
Info
What this means

The agent may use a more general API-call path when the listed commands do not fit, which can make the exact API operation less obvious.

Why it was flagged

The execution reference includes a generic fallback for calling named API tools directly. The artifacts describe the API as read-only and unauthenticated, so this broadens the command surface but does not show high-impact mutation authority.

Skill content
tn call <toolName> --arg value --json
Recommendation

Prefer the documented task-specific commands where possible, and ask the agent to explain any generic tool call before using it.