crypto-research

WarnAudited by ClawScan on May 10, 2026.

Overview

This looks like a coherent crypto-market analysis skill, but it publicly embeds a third-party ARKM API key, so it needs review before use.

Review before installing. The market-data workflow itself is reasonable, but the ARKM API key should be removed and rotated, and any needed provider access should be supplied through your own scoped secret. Also expect the helper scripts to use curl/python3 and to contact external market-data services.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI03: Identity and Privilege Abuse

What this means

Anyone viewing or installing the skill could reuse or further leak the same provider credential, and users cannot verify its scope, owner, quota limits, or rotation policy.

Why it was flagged

The skill includes a literal ARKM provider API key in its public instructions, while the registry requirements list no required credentials.

Skill content

| 机构资金 | ARKM API | API key: e77c4a5d-... |

Recommendation

Remove and rotate the exposed key. Require users to configure their own least-privilege ARKM credential through an environment variable or secret store, and declare that requirement in metadata.

Low

#ASI02: Tool Misuse and Exploitation

What this means

External services may receive request metadata, and the report quality depends on those data sources being available and trustworthy.

Why it was flagged

The skill instructs the agent to call external market-data APIs and web-fetch sources. This is disclosed and aligned with the market-analysis purpose.

Skill content

使用以下API获取实时数据 ... `curl "https://api.binance.com/api/v3/ticker/24hr?symbol=BTCUSDT"` ... `web_fetch`

Recommendation

Use the skill only when external market-data calls are acceptable, and verify important trading decisions against trusted sources.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The helper may fail or behave differently on systems without those tools, and users may not realize the skill includes runnable shell helpers.

Why it was flagged

The included helper script depends on local curl and python3 shell execution, but the registry requirements declare no required binaries. The code is visible and purpose-aligned, so this is a documentation/provenance note rather than a standalone concern.

Skill content

curl -s "https://api.binance.com/api/v3/ticker/24hr?symbol=BTCUSDT" | python3 -c

Recommendation

Declare curl and python3 as requirements and document when the helper scripts should be run.