Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
crypto-research
v1.0.0加密货币投研分析框架,用于每日行情展望报告和市场实时监控。当需要:(1) 生成每日行情报告,(2) 分析BTC/ETH走势,(3) 监控市场资讯和币价异动,(4) 制定交易预案时使用此skill。
⭐ 1· 550·5 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description (crypto research, daily reports, BTC/ETH monitoring) aligns with the included scripts that query Binance. However the SKILL.md lists an ARKM API key (e77c4a5d-f752-4a49-a49e-503970893e37) inline and references external data sources/tools (jin10 via web_fetch and 'QVeris skill工具') that are not declared in metadata or requires.env. Embedding an API key in the instructions and referring to other skills/tools without declaring dependencies is disproportionate and unexpected for a straightforward research skill.
Instruction Scope
Instructions are explicit about fetching Binance endpoints (fine) and about producing reports. But they also (a) include a hard-coded ARKM API key in the data-source table, (b) use unspecified 'web_fetch' for jin10 and an external 'QVeris' tool, and (c) reference a Telegram source (@MEcapital_bot). The SKILL.md gives the agent latitude to '主动提醒' when important info is found (implying monitoring/alerting) but offers no constraints or declaration of what data may be accessed/transmitted. The included scripts themselves only call Binance endpoints and are consistent with purpose.
Install Mechanism
No install spec — instruction-only with two small bash scripts. No downloads, package installs, or archive extraction. This is low-risk from an install mechanism perspective.
Credentials
The skill declares no required environment variables or credentials, yet contains a clear hard-coded API key inside SKILL.md. That key is a secret-sized string (looks like an API token) and is not justified in metadata or scope. The presence of an embedded credential is disproportionate (it should either require the user to provide credentials or omit them). Additionally, references to other external services/tools are undeclared (no env vars described for jin10, QVeris, or Telegram access).
Persistence & Privilege
always:false and no install spec means the skill doesn't request permanent/system-level presence. It does not modify other skills or global agent config in the provided files. Autonomous invocation is allowed (platform default) but not combined with other high privileges here.
Scan Findings in Context
[HARD_CODED_API_KEY] unexpected: SKILL.md includes an inline API key for 'ARKM API': e77c4a5d-f752-4a49-a49e-503970893e37. A research skill should not embed third-party credentials; the correct pattern is to require the user to supply their own API key via a declared environment variable or secret store.
What to consider before installing
This skill largely does what it claims (calls Binance and formats crypto research), but it includes an undeclared hard-coded API key and references undeclared external tools (jin10, QVeris) and a Telegram bot. Before installing or using it: (1) Do not assume the embedded ARKM key is safe—treat it as a leaked/third-party credential and remove it or replace with your own key provided via a secure env var; (2) Ask the publisher for source/homepage and explanation for the embedded key and for details on the referenced tools; (3) If you need monitoring/alerts, confirm exactly what endpoints and external services will be contacted and whether any user data will be transmitted; (4) Run the scripts in a sandboxed environment first and inspect network calls (they currently only curl Binance endpoints, which is expected); (5) Prefer replacing hard-coded secrets with declared required env vars and documented configuration; (6) If you cannot verify the author or purpose of the embedded key and external references, avoid giving the skill autonomous monitoring privileges or installing it in production systems.Like a lobster shell, security has layers — review code before you run it.
analysisvk97fak967f8d667m8a8xnvwn3x81vxvscryptovk97fak967f8d667m8a8xnvwn3x81vxvslatestvk97fak967f8d667m8a8xnvwn3x81vxvstradingvk97fak967f8d667m8a8xnvwn3x81vxvs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.