Crypto Daily Dashboard
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The dashboard mostly matches its crypto purpose, but one optional feature can run a local command built from an environment setting, so it needs review before use.
Review before installing. Use only read-only Binance API keys, do not enable the cron job until you have tested the script, and leave ECONOMIC_TRACKER_PATH unset unless you trust the exact local script path. A safer version should avoid shell string execution for the economic tracker.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misconfigured or attacker-controlled environment variable could cause commands to run on the user's machine under the user's account.
The environment-provided path is inserted directly into a shell command. If ECONOMIC_TRACKER_PATH contains shell metacharacters or is manipulated, running the dashboard can execute unintended local commands.
path: process.env.ECONOMIC_TRACKER_PATH || '' ... execSync(`python3 ${CONFIG.economicTracker.path} status`, { timeout: 5000, encoding: 'utf8' });Leave ECONOMIC_TRACKER_PATH unset unless you fully trust it. The maintainer should replace execSync with execFile or spawn using an argument array, validate the path, and document the setting clearly.
If the supplied Binance key has trading or withdrawal permissions, the key itself is more powerful than this read-only dashboard needs.
The skill asks for Binance account credentials to read balances. This is purpose-aligned, but Binance keys are sensitive financial-account credentials.
export BINANCE_API_KEY="your_api_key"; export BINANCE_API_SECRET="your_api_secret" ... Read-only API permissions recommended
Use a dedicated Binance API key with read-only permissions only, and avoid exposing it in shared shells, logs, or scheduled jobs.
Once added to cron, the dashboard will run automatically with access to the configured environment and credentials.
The skill documents an optional scheduled run. It is user-directed and not hidden, but it creates recurring execution if enabled.
openclaw cron add "0 9 * * *" "node ~/.openclaw/workspace/skills/crypto-daily-dashboard/dashboard.js" --label "daily-crypto-dashboard"
Only add the cron job after testing the script, and remove it if you no longer want recurring access to your Binance credentials or local economic tracker.
Users may underestimate that using the dashboard contacts external services, including Binance when account keys are configured.
The skill does disclose its external API data sources, but the broad statement that no data is sent to third parties is imprecise because the dashboard makes network requests to those providers.
Data Sources: Binance API, CoinGecko API, Alternative.me API ... Security ... No data sent to third parties
Treat the external API calls as expected network data flows, and the maintainer should reword the security claim to clarify that data is only sent to the listed providers.