valuescan-skill
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent ValueScan crypto-market data wrapper that uses user-provided API credentials; no artifact-backed wallet control, purchasing, destructive action, or secret exfiltration was found.
Before installing, understand that this skill is for crypto-market analysis and can use your ValueScan API key/secret, spend API credits, and send selected wallet addresses or token queries to ValueScan. Do not provide private keys, seed phrases, exchange login credentials, or any wallet address you do not want associated with your queries.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the user's ValueScan API credentials and may consume that account's API quota or credits.
The skill reads a local ValueScan API key and secret key and uses them for request signing. This is sensitive account access, but it is consistent with the documented ValueScan API authentication flow.
const credPath = path.join(os.homedir(), '.openclaw', 'credentials', 'valuescan.json'); ... const apiKey = creds.valuescanApiKey; const secretKey = creds.valuescanSecretKey;
Use a dedicated ValueScan API key if possible, keep the credentials file protected, monitor API usage, and revoke the key if you stop using the skill.
Frequent or broad requests could spend ValueScan credits or API quota, even though the shown endpoints are data retrieval rather than trading actions.
The API reference explicitly states that endpoint calls can consume credits. This is expected for a paid/provider API, but users should be aware before allowing repeated or broad analysis calls.
`credits_cost` | integer | 调用该接口消耗的积分数量
Ask the agent to confirm before running large batches or repeated monitoring queries, especially on endpoints with higher credit costs.
Wallet addresses or token queries you provide for analysis may be sent to ValueScan and could reveal what addresses or assets you are interested in.
The documented workflow includes sending user-provided wallet addresses or token queries to the external ValueScan API. This is purpose-aligned, but it is still an external data flow.
用户提供地址:“帮我分析这个地址的持仓成本变化。” → 调用 `持仓趋势` ... **Base URL**: `https://api.valuescan.io/api/open/v1`
Only submit wallet addresses or portfolio-related queries you are comfortable sharing with ValueScan; avoid entering private keys or exchange credentials.
Users have less provenance assurance and may see minor version-contract ambiguity.
The registry lists an unknown source and version 1.0.6, while SKILL.md/_meta.json show version 1.0.5. No remote installer or hidden dependency is shown, so this is a provenance/metadata note rather than a behavior concern.
Source: unknown; Version: 1.0.6
Prefer installing from a trusted registry entry, and verify the homepage/API documentation if provenance or exact version matters.