Back to skill
Skillv1.0.4
ClawScan security
whitebit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 12:29 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only, documentation-first WhiteBIT training and planning helper that requests only the ClawHub CLI and MCP docs access — its requirements and instructions align with its stated purpose.
- Guidance
- This skill appears coherent and documentation-first. Before installing: ensure the 'clawhub' CLI is installed and you are comfortable using ClawHub for skill lifecycle actions; confirm you have the 'whitebit-docs' MCP connector available if you want accurate API validation; never publish or upload API keys or .env files to ClawHub; treat this skill as training/documentation-only — do not expect it to place live trades unless you separately configure and audit an execution connector that holds your API credentials; note the packaged agent config allows implicit invocation, so review agent invocation policies if you want to restrict autonomous use.
Review Dimensions
- Purpose & Capability
- okName/description (WhiteBIT trading guidance & training) match the runtime instructions and file contents. The only declared runtime dependency is the 'clawhub' CLI, which is appropriate for a skill that manages/publishes itself through ClawHub. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md confines the agent to documentation lookup (whitebit-docs MCP) and training/execution-prep workflows; it explicitly forbids live execution unless a separate execution connector is configured. It does not instruct reading arbitrary system files or exfiltrating secrets. The guidance to check for MCP connectors and to require explicit user confirmation for live trades is consistent with the stated training-only intent.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code to download — lowest-risk install posture. The README and references only recommend using the user-installed 'clawhub' CLI or cloning the repo locally; no remote code fetches or extract operations are present.
- Credentials
- okNo required environment variables or credentials are declared. The skill repeatedly states it does not require runtime WhiteBIT API keys and directs keys to be stored in a separate executor if used. Required MCP connector (whitebit-docs) and clawhub CLI are proportionate to the purpose.
- Persistence & Privilege
- noteThe skill is not always-included (always: false). The included agents/openai.yaml sets allow_implicit_invocation: true which permits implicit invocation behavior at the agent-config level; autonomous invocation is the platform default and is not in itself a problem, but users should be aware implicit invocation is allowed by this skill's packaged agent config.