Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Crypto Sentiment Monitor
v1.0.0Real-time crypto market sentiment analysis. Aggregates Twitter/X, Reddit, Google Trends, and exchange data. Detects FOMO/FUD cycles and whale movements. Trig...
⭐ 0· 107·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes aggregation from Twitter/X, Reddit, Google Trends, Whale Alert, and exchanges — which normally requires specific binaries/tools (e.g., an X/Twitter client), API keys, or scraping code. However the skill metadata claims no required binaries, no env vars, and there are no code files provided. That is inconsistent: a monitoring skill would legitimately need client tools or credentials, but none are declared or provided.
Instruction Scope
Runtime instructions tell the agent to run 'xreach' and a python script (analyze_sentiment.py) and call functions like get_google_trends() and get_whale_alerts(), but those scripts/functions are not included and no guidance is given for authentication or how to obtain these tools. The instructions are porous and open-ended (references to Telegram channels, Reddit hot posts) without specifying required credentials, endpoints, or allowed data sources — giving the agent broad, ambiguous discretion.
Install Mechanism
No install spec (instruction-only), which minimizes direct install risk. However the instructions rely on external binaries/tools (xreach) and Python scripts that are not provided or documented; installing those would be left to the user/agent without provenance, which raises risk if the agent tries to fetch or run unknown third-party code.
Credentials
The skill declares no required environment variables or primary credential, yet the described integrations (Twitter/X API, Whale Alert, Google Trends, exchange APIs, Telegram) normally require API keys or tokens. The absence of declared credential requirements is a mismatch and could lead the agent or user to supply credentials without clear justification or to attempt scraping/unauthenticated access.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistence/privileges and is user-invocable with default autonomous invocation allowed (normal). It does not declare any configuration changes to other skills or system-wide settings.
What to consider before installing
Do not install or run this skill as-is. It is incomplete and ambiguous: the SKILL.md calls binaries (xreach) and scripts (analyze_sentiment.py) that are not included, and it does not declare the API keys or install steps needed for Twitter/X, Whale Alert, Google Trends, or exchange data. Before proceeding, ask the publisher for: (1) source code or links to the missing scripts; (2) explicit install instructions and trusted sources for any third-party tools; (3) a list of required credentials and the minimum-scoped permissions needed (prefer read-only, scoped API keys or OAuth rather than broad tokens); (4) a homepage or repository to verify provenance. If you must test it, run in an isolated environment (sandbox/container) with dummy/scoped credentials and audit network calls. Avoid providing high-privilege or long-lived keys until you can review the code and confirm the exact endpoints and data handling practices.Like a lobster shell, security has layers — review code before you run it.
aivk974azdyqp5cb26z2gacmj5qz184gq5mautomationvk974azdyqp5cb26z2gacmj5qz184gq5mlatestvk974azdyqp5cb26z2gacmj5qz184gq5m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.