Back to skill
Skillv1.0.0
ClawScan security
Consortium AI Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:32 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it claims (fetch a trading signal from an external API), but the package/registry metadata omits the required API credential and there is a mismatch between declared requirements and the runtime instructions — this inconsistency should be resolved before trusting the skill.
- Guidance
- This skill's behavior (calling https://api.consortiumai.org with an API key) matches its description and the included script is readable and focused. The main problem is a metadata mismatch: the registry claims no required env vars, but the SKILL.md and script require TRADING_ANALYSIS_API_KEY. Before installing or using the skill: 1) verify the owner and the legitimacy of https://consortiumai.org and api.consortiumai.org (look for a public repo or official docs); 2) do not provide high-privilege or long-lived secrets — prefer a scoped/limited API key or an audit-only key; 3) consider running the bundled script locally yourself to confirm behavior; 4) ask the skill publisher to correct registry metadata to declare TRADING_ANALYSIS_API_KEY so the platform and users are aware a secret will be used. If you cannot verify the provider or the endpoint, treat the API key as sensitive and avoid installing the skill.
Review Dimensions
- Purpose & Capability
- noteSkill name/description match the code and SKILL.md: both call https://api.consortiumai.org to fetch trading analysis. However, the registry metadata lists no required environment variables while the SKILL.md and the included script require TRADING_ANALYSIS_API_KEY — a clear mismatch.
- Instruction Scope
- okSKILL.md instructions are narrowly scoped: set an API key env var and call the API or the bundled Node script. There is no instruction to read unrelated files, harvest other env vars, or send data to unexpected endpoints.
- Install Mechanism
- okNo install spec; the skill is instruction-only but includes a small bundled script. No downloads from external URLs or archive extraction are present, which is low risk. The script is plain and readable.
- Credentials
- concernRuntime requires a single API key (TRADING_ANALYSIS_API_KEY), which is proportionate; however the registry metadata does not declare this required environment variable. That omission is suspicious because users/platforms may not be informed that a secret will be used or requested. The script does not access other secrets or unrelated env vars.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system configs. It runs on-demand and only performs a single external GET request when invoked.