ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stablecoin Depeg Monitor

v1.0.0

Monitor stablecoin peg stability and review historical depeg events. Covers real-time price deviations and past incidents for USDT, USDC, DAI, USDe, FDUSD, a...

0· 51·0 current·0 all-time
by@zuoyeweb3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise 'real-time price deviations' and price-threshold alerts (Green/Yellow/Red), yet the only runtime data source documented is https://api.barker.money/api/public/v1/stablecoin-market, which (as shown) returns market cap, TVL and asset distribution — not explicit per-stablecoin price or on-chain price feeds. Using TVL/share_pct to infer peg status is plausible for market-stress signaling but is not equivalent to direct price checks; the mismatch means the skill may not actually deliver the price-based alerts it advertises.
!
Instruction Scope
SKILL.md instructs the agent to call the Barker public API and to use asset_distribution to detect abnormal TVL outflows. It does not instruct how to obtain or validate per-stablecoin prices (DEX quotes, CEX prices, or oracle feeds) despite relying on price thresholds. The instructions do not read local files or credentials (good), but they are incomplete for the declared task and give the agent no fallback or cross-check strategy.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk and no packages are installed. This is low risk from an install perspective.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The lack of secrets requested is appropriate for a read-only public-API monitoring skill.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent system presence or modification of agent/system settings. Autonomous invocation is allowed by platform default, but there is no evidence of elevated privileges.
What to consider before installing
This skill is not obviously malicious, but it is internally inconsistent: it promises price-based peg alerts yet shows only a Barker endpoint that returns TVL/market-cap data, not per-coin prices or oracle checks. Before installing or using it routinely, ask the author for: (1) documentation proving the Barker endpoint provides reliable per-stablecoin price data (or an explicit additional endpoint for price/oracle feeds), (2) how the agent should compute and validate the price-based thresholds (which data sources it will use and how it cross-checks them), and (3) rate-limit and provenance guarantees for Barker. If you rely on this for safety actions (e.g., 'reduce exposure'), require the skill to incorporate independent price sources (CoinGecko/CoinMarketCap, on-chain DEX quotes, or Chainlink/other oracles) and to disclose confidence and timestamps in any alert. Finally, consider treating its alerts as advisory only and verify before making fund-moving decisions.

Like a lobster shell, security has layers — review code before you run it.

latestvk971a9qxw98f35fm7tnz0wz1d984by40

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments