Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
valuescan-skill
v1.0.6ValueScan 加密货币主力资金流分析工具。支持资金异动监控、主力动向追踪、鲸鱼地址分析、板块轮动、机会/风险代币识别、大户成本分析。
⭐ 2· 168·0 current·0 all-time
byValueScan-ai@valuescan-io
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (ValueScan crypto fund-flow analytics) match the included artifacts: SKILL.md documents many ValueScan API endpoints and the SDK implements HMAC-SHA256 signing and HTTPS POSTs to api.valuescan.io. The credential requirements (API key + secret) are appropriate and expected for this purpose.
Instruction Scope
Runtime instructions and SDK only read a credential file under the user's home (~/.openclaw/credentials/valuescan.json), build HMAC-SHA256 signatures, and POST to https://api.valuescan.io. They do not reference other system files, other credentials, or external endpoints. Note: the README asserts the credential file path and that credentials are "not uploaded" — the SDK legitimately uses the secret to create signatures and includes the API key in request headers to call the ValueScan API.
Install Mechanism
This is instruction-only with one small SDK file included; there is no install spec that downloads third-party code or writes arbitrary binaries. No network downloads or URL-based installs are present.
Credentials
The skill requires only a ValueScan API key and secret, which is proportionate. The SDK reads a plaintext JSON credential file from ~/.openclaw/credentials/valuescan.json — storing secrets there is functional but has local-security implications (plaintext on disk). There are no other unrelated env vars, keys, or platform credentials requested.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges or modify other skills. It will read its own credential file under the user's home but does not alter system-wide settings.
Assessment
This skill appears to be a straightforward client for the ValueScan API and requires your ValueScan API Key and Secret Key. Before installing: (1) Confirm you obtained keys from the official site (https://www.valuescan.ai) and use least-privileged keys if possible. (2) Be aware the SDK expects a plaintext credential file at ~/.openclaw/credentials/valuescan.json — storing secrets on disk is convenient but carries local risk; consider file permissions or a safer secret store. (3) The skill will send the API key and signatures only to api.valuescan.io per its code; if you need higher assurance, review the service's privacy/security policies. (4) Note Node.js 16 vs fetch availability: the SDK assumes fetch is available; you may need a runtime that provides it. If you want, I can list the exact lines that read the credential file and build the signature.script/sdk/vs_api_sign.js:25
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97b21cnshs45pqt5w5sndw7hh84kfqr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.