Crypto Price Alerts
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is broadly coherent and not malicious, but it stores alert data locally, queries Binance through ccxt, and has a few transparency/provenance gaps.
This looks safe to install if you are comfortable with local storage of your crypto alert targets and external Binance/ccxt price checks. Verify how notifications are delivered, especially the advertised Telegram/Discord support, and consider whether you want one-shot alerts that are removed after triggering.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or unexpectedly changed dependency could affect the alert checker.
The skill relies on an external npm dependency with a floating caret range. This is expected for exchange price lookups, but it means installs trust the npm supply chain and whatever compatible ccxt version resolves.
"dependencies": { "ccxt": "^4.0.0" }Prefer a pinned/locked dependency version and review the installed ccxt package version before relying on the skill.
Your watched trading pairs may be visible to Binance or network intermediaries during price checks.
The checker sends each stored alert symbol to Binance through ccxt to fetch current prices. This is purpose-aligned for crypto alerts, but it is an external provider data flow.
const exchange = new ccxt.binance(); ... const ticker = await exchange.fetchTicker(alert.symbol);
Install only if you are comfortable with Binance-backed price queries for the pairs you monitor.
Anyone or any process with access to that local file could view or alter your alerts.
Alert symbols and target prices are persisted on disk and reused by future checks. The storage location is disclosed and scoped, but it can reveal trading interests.
Alerts are stored locally in `~/.openclaw/workspace/data/price_alerts.json`
Treat the alert file as private local data and delete it when you no longer want the skill to retain alerts.
An alert can disappear once it triggers, so recurring alerts would need to be re-added.
Triggered alerts are automatically removed from the local alert file after a check. This is consistent with one-shot alerts, but it mutates stored user data without a separate confirmation step.
// Remove triggered alerts const remaining = alerts.filter(a => !triggered.some(t => t.id === a.id) ); saveAlerts(remaining);
Check the active alert list after triggers and confirm that one-shot behavior matches your expectations.
You may not actually receive alerts through Telegram or Discord unless the platform adds separate notification handling.
The README advertises Telegram/Discord notifications, but the provided artifacts do not declare credentials or configuration for those services and the included script prints JSON output locally. This appears to be an overbroad capability claim rather than hidden exfiltration.
Instant notifications via Telegram/Discord
Verify notification delivery before relying on this skill for trading or time-sensitive decisions.