openclaw-version-monitor
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward instruction-only release monitor, but users should verify the Telegram/Feishu destinations, credentials, and any scheduled auto-posting before using it.
Before installing or using this skill, confirm the Telegram chat ID and Feishu target, use dedicated low-privilege messaging credentials, and only enable the scheduled checks if you want automated notifications to continue running.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Telegram bot or Feishu workspace/app credential may be used to send notifications, so the user should know which account is acting.
Sending messages through Telegram or Feishu usually requires delegated bot/app credentials, while the registry declares no primary credential or required environment variables.
5. **推送到渠道** - 发送消息到 Telegram 和 Feishu
Use a dedicated low-privilege bot/app credential, document the required credential setup, and avoid reusing broad personal or workspace tokens.
Release notifications could be sent to the wrong chat, user, or group if the destination IDs are not verified.
The skill defines external messaging recipients for Telegram and Feishu. This is disclosed and purpose-aligned, but users should confirm the IDs are intended.
- Chat ID: 8290054457 - 需要目标用户或群 ID
Confirm the Telegram chat ID and Feishu target before sending, and do not add sensitive private content to the release-note messages.
If scheduled, the monitor may continue checking and posting until the schedule is disabled.
The skill describes recurring scheduled checks and automatic pushes. This matches the monitoring purpose, but it is persistent behavior if the user configures it.
表达式: `0,30 9-18 * * *` - 行为: 检测到新版本立即推送
Only enable the schedule intentionally, keep a clear stop/disable process, and track the last-notified version to avoid duplicate posts.
Users have less external context for who maintains the skill, but the reviewed package does not include executable code.
The skill has limited provenance metadata, though there is no code or install script in the supplied artifacts.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Review the instruction text before use and prefer a maintained source or homepage if this skill will be used for automated notifications.