Back to skill
Skillv1.0.4
ClawScan security
Crypto Kline BTC加密货币K线数据-HuoBi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 9:49 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its description (fetching Huobi K-line data); it makes direct HTTPS requests to Huobi and requires Node to run, with no unexplained credential or file access.
- Guidance
- This skill appears coherent and performs only public Huobi API calls. Before installing: ensure your agent environment has Node.js available (the skill expects node), and that you are comfortable allowing outbound HTTPS requests to api.huobi.pro. The skill source/homepage are unspecified — if you require stronger trust, review the script contents yourself or run it in a sandboxed environment. No credentials are requested, and autonomous invocation is allowed by default (normal), so only install if you permit the agent to make network calls on your behalf.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (Huobi K-line data) aligns with the included script that issues HTTPS GETs to api.huobi.pro for market/history/kline. Minor inconsistency: registry metadata at the top lists no required binaries, but _meta.json and SKILL.md expect node (the script is a Node.js CLI). Node is a legitimate requirement for this purpose.
- Instruction Scope
- okSKILL.md instructs only running the provided Node script with symbol/period/size arguments. The script only reads its CLI args and performs network requests to Huobi; it does not read other files, environment variables, or send data to unexpected endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only plus a script file). Nothing is downloaded or extracted at install time. This is low-risk; the only runtime requirement is that Node is available.
- Credentials
- okThe skill requests no environment variables or credentials. The script makes unauthenticated GET requests to Huobi's public market API — no secrets are needed or requested, which is proportionate for public market data.
- Persistence & Privilege
- okalways is false and the skill does not modify system or other skills. It requires no persistent elevated privileges and does not attempt to store credentials or change global config.