Kamino Positions Monitor
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a coherent DeFi monitoring helper, but users should notice that it relies on installing and running an external Node.js project and can optionally send reports through Telegram.
Before installing, review the linked GitHub project and npm dependencies, confirm wallets.json contains only addresses you intend to monitor, and only configure Telegram delivery if you trust the destination chat and bot token setup.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing from the live repository could run dependency code that changes over time.
The skill depends on an external GitHub project and npm dependencies that are not included in the submitted artifacts or pinned to a specific commit.
git clone https://github.com/csacanam/kamino-positions-monitor cd kamino-positions-monitor && npm install
Review the repository and package dependencies before installing; prefer a trusted commit or release if available.
The local script will run with the permissions of the user or agent environment.
The skill instructs running a local Node.js script. This is central to the monitor’s purpose, but it is still executable local code.
cd "${KAMINO_MONITOR_PATH:-.}" && node kamino_monitor.js wallets.jsonRun it only from the intended project directory after checking the script and wallets.json contents.
If Telegram credentials are supplied, the monitor may act through that bot and send reports to the configured chat.
The skill discloses optional service configuration and a Telegram bot token, which are purpose-aligned but still represent account/service authority if configured.
Optional in `.env`: `SOLANA_RPC_URL`... optional `TELEGRAM_BOT_TOKEN` and `TELEGRAM_CHAT_ID` send the report to a Telegram chat.
Use a dedicated low-privilege Telegram bot and verify the chat ID before enabling Telegram delivery.
Wallet monitoring reports could be sent outside OpenClaw to Telegram if that option is configured.
The artifacts disclose an optional external messaging path for reports containing wallet addresses and financial position details.
When run directly, optional `TELEGRAM_*` in `.env` also pushes to a Telegram chat (HTML formatting, Jupiter links).
Only enable Telegram delivery for chats you control and avoid sharing reports for wallets you consider private.