Back to plugin
Pluginv1.0.1
ClawScan security
Crypto Market Data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 8:06 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it requires a single AISA_API_KEY and python3, calls the AIsa proxy API (api.aisa.one) for CoinGecko data, and the included scripts/instructions match those requirements.
- Guidance
- This skill is coherent: it will send requests to api.aisa.one using the AISA_API_KEY you provide and return CoinGecko-style crypto market data. Before installing, confirm you trust the AIsa service (https://aisa.one), treat AISA_API_KEY as a secret (do not reuse a high-privilege key), and verify rate limits and any billing tied to that key. Note the package is for crypto market data only (not equities); the client prints JSON to stdout, so be mindful about where you paste or store outputs that might contain sensitive info.
Review Dimensions
- Purpose & Capability
- noteThe name/description promise (CoinGecko market data) matches the implementation: the Python client calls AIsa's CoinGecko endpoints. Minor wording inconsistency: some top-level text mentions 'stock analysis'/watchlists which could be read as equities — the SKILL.md explicitly says DO NOT use for equities and is focused on crypto. Overall the requested resources (python3 + AISA_API_KEY) are appropriate for the stated purpose.
- Instruction Scope
- okSKILL.md instructs the agent/user to set AISA_API_KEY and run the included Python script. The script only reads the declared AISA_API_KEY env var and performs HTTP requests to https://api.aisa.one; it prints JSON to stdout. There are no instructions to read unrelated files, other environment variables, or to exfiltrate data to unexpected endpoints.
- Install Mechanism
- okThis is an instruction-and-script package with no remote download/install steps. No install spec is present and no arbitrary external artifacts are fetched at install time, so install risk is low.
- Credentials
- okOnly one secret-like environment variable is required (AISA_API_KEY), which is necessary and expected for an API-backed client. The code uses that env var and nothing else. The README mentions 'curl' in the requirements but the client uses Python's urllib; that is a minor documentation mismatch, not an unexplained credential request.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills, and is user-invocable. Autonomous invocation is allowed by default (platform behavior) but the package itself does not escalate privileges or request persistent system-wide presence.