🔍 Crypto Scam Detector v2.0
Database-first cryptocurrency scam detection for OpenClaw
Analyzes crypto addresses for phishing, honeypots, rug pulls, and ponzi schemes using a local database with background sync from Etherscan. Zero external API calls during user checks = instant results!
✨ What's New in v2.0
🚀 Major Architecture Upgrade
- ✅ Database-first design - All checks query local SQLite database
- ✅ Instant results - No API latency during checks (<5ms)
- ✅ No rate limits - User queries never hit Etherscan API
- ✅ Background sync worker - Separate process pulls from Etherscan
- ✅ Transaction message analysis - Decodes and analyzes hex data
- ✅ Auto-queue system - Unknown addresses automatically queued for sync
- ✅ Deep scanning - Detects suspicious keywords in transaction data
🔍 Enhanced Detection
Now catches scams the old version missed:
- ✅ "Lazarus Vanguard" hacking group references
- ✅ "Orbit Bridge Hacker" mentions
- ✅ Private key phishing attempts
- ✅ Exploit recruitment messages
- ✅ And much more...
📦 What's Included
crypto-scam-detector/
├── SKILL.md # This file
├── DATABASE_ARCHITECTURE.md # Technical documentation
├── database.py # SQLite database layer
├── crypto_check_db.py # Database-only checker (instant)
├── sync_worker.py # Background Etherscan sync worker
├── secure_key_manager.py # Encrypted API key storage
├── install.sh # Auto-installer
├── setup.sh # API key setup wizard
├── check_address.sh # Convenience script (sync if needed)
├── requirements.txt # Python dependencies
└── venv/ # Virtual environment (created on install)
🚀 Quick Start
1. Install
cd ~/.openclaw/workspace/skills/crypto-scam-detector
bash install.sh
2. Configure Etherscan API Key (Optional but Recommended)
Option A: Interactive Setup (Encrypted storage)
./setup.sh
# Follow the wizard to encrypt your API key
Option B: Environment Variable
export ETHERSCAN_API_KEY="your_key_here"
Get free API key: https://etherscan.io/myapikey
3. Check an Address
# Check address (instant, database-only)
python3 crypto_check_db.py 0x1234567890abcdef1234567890abcdef12345678
4. Run Background Sync Worker
Manual mode:
python3 sync_worker.py
# Runs continuously, processes queue
Batch mode:
python3 sync_worker.py --max-jobs 20
# Process 20 addresses then exit
Cron schedule (recommended):
# Add to crontab
*/10 * * * * cd ~/.openclaw/workspace/skills/crypto-scam-detector && source venv/bin/activate && ETHERSCAN_API_KEY="key" python3 sync_worker.py --max-jobs 30
💡 How It Works
Architecture Flow
User checks address
↓
┌──────────────────┐
│ crypto_check_db │ ← Queries local database ONLY
└────────┬─────────┘ (No external API calls)
│
↓
┌──────────────────────┐
│ Local SQLite DB │
│ ~/.config/crypto- │
│ scam-detector/ │
│ │
│ • Addresses │
│ • Transactions │
│ • Risk scores │
│ • Scam indicators │
│ • Sync queue │
└────────▲─────────────┘
│
│ Background sync
│
┌────────┴─────────────┐
│ sync_worker.py │ ← Pulls from Etherscan
│ │ (Uses your API key)
│ • Reads queue │
│ • Calls Etherscan │
│ • Decodes TX data │
│ • Analyzes messages │
│ • Stores in DB │
└──────────────────────┘
User Flow
- Check address:
python3 crypto_check_db.py 0x... - If in database: Instant results with full analysis
- If NOT in database:
- Returns "unknown" status
- Automatically adds to sync queue
- Shows: "⏳ Check again in a few minutes"
- Background worker syncs it (next cron run or manual trigger)
- Check again: Full analysis now available
🔍 Detection Capabilities
Scam Types Detected
| Type | Detection Method |
|---|---|
| Phishing | Keyword analysis: "private key", "seed phrase", "verify wallet" |
| Honeypot | Contract code analysis (unverified contracts) |
| Rug Pull | Transaction pattern analysis |
| Exploit Groups | Keywords: "Lazarus", "hack", "exploit", "breach" |
| Social Engineering | Keywords: "urgent", "claim reward", "airdrop winner" |
Risk Scoring
Algorithm factors:
- Suspicious transaction count (+25 per TX, max +50)
- Account age (new addresses: +10)
- Balance patterns (large balance + suspicious TX: +20)
- Contract verification (unverified: +30)
Risk Levels:
- 0-19: ✅ Low Risk
- 20-49: ℹ️ Medium Risk
- 50-79: ⚠️ High Risk
- 80-100: 🚨 Critical Risk
📋 Commands Reference
Check Address
# Human-readable output
python3 crypto_check_db.py 0x...
# JSON output
python3 crypto_check_db.py 0x... --json
Sync Worker
# Add address to queue
python3 sync_worker.py --add-address 0x...
# Run worker (continuous)
python3 sync_worker.py
# Process N addresses then stop
python3 sync_worker.py --max-jobs 20
# Custom delay between addresses
python3 sync_worker.py --delay 2.0
# Show database stats
python3 sync_worker.py --stats
Convenience Script
# Check and auto-sync if needed
./check_address.sh 0x...
# Automatically syncs if not in DB, then shows results
🎯 Example Output
Critical Risk Address
🚨 Analysis for 0x098b716b8aaf21512996dc57eb0615e2383e2f96
Risk Score: 100/100 - CRITICAL RISK
Last Updated: 2026-02-20 07:14:32
🚨 KNOWN SCAM DETECTED!
⚙️ Smart Contract
⚠️ NOT VERIFIED on Etherscan
Transactions: 38
Balance: 101.802430 ETH
🚨 5 Scam Indicator(s) Detected:
• Suspicious keyword detected: 'lazarus' (confidence: 80%)
• Suspicious keyword detected: 'hack' (confidence: 80%)
• Suspicious keyword detected: 'exploit' (confidence: 80%)
• Suspicious keyword detected: 'private key' (confidence: 80%)
⚠️ 5 Suspicious Transaction(s):
• 0x74f7fbfe5a0bd3...
Reason: Suspicious keyword detected: 'lazarus'
Message: "Greetings Lazarus Vanguard..."
📋 Recommendations:
🚫 DO NOT send funds to this address
⚠️ This address has been flagged as high risk
📞 Report the source that gave you this address
Unknown Address (Not Yet Synced)
⏳ Analysis for 0xnew_address_not_in_db
Risk Score: 0/100 - UNKNOWN
Last Updated: N/A
⏳ Address not yet in database
Address not in database. Added to sync queue.
📋 Recommendations:
⏳ This address will be analyzed soon
🔍 Check again in a few minutes
⚠️ Exercise caution until analysis completes
⚙️ Configuration
Database Location
Default: ~/.config/crypto-scam-detector/crypto_data.db
Etherscan API Rate Limits
- Free tier: 5 calls/second, 100,000 calls/day
- Each address: 4 API calls (balance, TX count, TX list, code)
- Default delay: 1.5 seconds between addresses (safe for free tier)
Recommended Cron Schedule
# Every 10 minutes, process 30 addresses
*/10 * * * * cd ~/.openclaw/workspace/skills/crypto-scam-detector && source venv/bin/activate && ETHERSCAN_API_KEY="key" python3 sync_worker.py --max-jobs 30 --delay 2.0
# Handles ~4,320 addresses per day
🛡️ Security
- ✅ Encrypted API key storage - AES-256 with PBKDF2
- ✅ No third-party sharing - API key only sent to Etherscan
- ✅ Local processing - All analysis happens on your machine
- ✅ No telemetry - Zero data collection
- ✅ Open source - Fully auditable code
📊 Database Schema
Tables
- addresses - Address info, risk scores, balances, metadata
- transactions - Suspicious transactions with decoded messages
- scam_indicators - Individual red flags per address
- sync_queue - Addresses waiting to be synced
See DATABASE_ARCHITECTURE.md for full technical details.
🔄 Sync Frequency
Default behavior:
- First check → address queued for sync
- Worker processes queue (manual or cron)
- Subsequent checks → instant from database
Recommended: Run worker via cron every 5-10 minutes
💻 OpenClaw Integration
Via Chat
"Check if 0x1234... is a scam"
"Is this address safe: 0xabc..."
"Verify 0xdef... before I send ETH"
Automatic Detection
When you check an address, OpenClaw:
- Runs
crypto_check_db.py - If not in DB → queues for sync
- Returns current status
- Suggests checking again after sync
🐛 Troubleshooting
"Address not in database"
Solution: Wait for background worker to sync it, or manually trigger:
python3 sync_worker.py --add-address 0x...
python3 sync_worker.py --max-jobs 1
"Etherscan API key not configured"
Solution: Set API key via environment or setup wizard:
./setup.sh # or
export ETHERSCAN_API_KEY="your_key"
Rate limit errors
Solution: Increase delay between addresses:
python3 sync_worker.py --delay 3.0
📈 Performance
- ✅ Check latency: <5ms (database query)
- ✅ Sync time: ~2 seconds per address (4 API calls)
- ✅ Database size: ~1KB per address
- ✅ Capacity: Handles millions of addresses
🆚 Comparison: v1 vs v2
| Feature | v1.1.3 (Old) | v2.0.0 (New) |
|---|---|---|
| Check speed | 2-5 seconds (API calls) | <5ms (database) |
| Rate limits | Yes (every check) | No (checks only query DB) |
| TX message analysis | ❌ Not analyzed | ✅ Fully analyzed |
| False negatives | High (missed scams) | Low (deep analysis) |
| Architecture | Direct API calls | Database + background worker |
| API key usage | Every check | Only background worker |
📜 License
MIT License - Free and open source
🤝 Support
- GitHub: https://github.com/trustclaw/crypto-scam-detector
- Issues: Report bugs or request features
- ClawHub: https://clawhub.com/crypto-scam-detector
- Hackathon: NeoClaw Hackathon 2026
🏆 Credits
Developed by Trust Claw Team for NeoClaw Hackathon 2026
Built with:
- SQLite - Local database
- Etherscan API - Blockchain data
- ChainAbuse API - Community scam reports
- Python asyncio - Async operations
🔐 Stay safe in crypto! Always verify addresses before sending funds.