ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fear Greed Index

v1.0.1

Crypto Fear & Greed Index reporter. Fetches current market sentiment index and provides simple analysis combined with BTC price movement. Use when users want...

0· 36·0 current·0 all-time
by@yuyiyuleyuli-cloud
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Functionality (fetching Alternative.me F&G index and BTC price) matches the name/description. The additional behavior — charging via SkillPay.me — is plausible for a paid skill, but the registry metadata did not declare any required env vars or primary credential even though the code expects SKILLPAY_API_KEY. That mismatch is unexpected.
!
Instruction Scope
SKILL.md instructs running the included scripts with a --user-id and notes a per-call price, but it does not document that the code will attempt to POST to https://skillpay.me/api/v1 and requires a SKILLPAY_API_KEY (from --api-key or env). The scripts will perform network calls to both Alternative.me and SkillPay.me and will exit if the billing call fails. The instructions omit an operational requirement (the API key) and lack detail about what is sent to the payment endpoint.
Install Mechanism
No install spec; code is provided as simple Python scripts that will be executed. No external installers, downloaded archives, or obscure URLs are used. This is low installation risk.
!
Credentials
Registry metadata declares no required environment variables, but both scripts read SKILLPAY_API_KEY from the environment (or accept it via CLI). Requiring an API key for billing is reasonable, but it should be explicitly declared as a required credential (primaryEnv) so users know a secret is needed. There are no other unrelated credentials requested.
Persistence & Privilege
The skill does not request persistent or elevated agent privileges; always is false, it does not modify other skill configs, and it only performs outbound HTTP requests. Normal autonomous invocation is allowed but not combined with other high privileges.
What to consider before installing
This skill fetches the Fear & Greed index and BTC price as advertised, but it also charges 0.001 USDT per call via SkillPay.me and expects a SKILLPAY_API_KEY (env or CLI) even though the registry/SKILL.md don't declare that requirement. Before installing: 1) Ask the publisher to declare SKILLPAY_API_KEY (or remove the billing call) and to document exactly what data is sent to SkillPay.me. 2) Verify the reputation and TLS/ownership of https://skillpay.me and the billing API. 3) If you must provide an API key, prefer creating a scoped or revocable key and test the scripts in a sandboxed environment first. 4) If you do not want automatic billing or to share an API key, do not install or run this skill until the billing flow is made explicit and registered in the skill metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ny9ysfezqxb0rtkrshg3xx845s55

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments