Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mobula - Smart Alerts & Monitoring
v1.0.024/7 autonomous monitoring for crypto portfolios, whales, and market conditions. Multi-condition alerts via OpenClaw heartbeat.
⭐ 0· 57·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md and README describe a monitoring/orchestration skill that uses Mobula endpoints and other mobula-* skills; that purpose justifies an API key and use of network calls. However the registry metadata supplied with the skill lists no required environment variables or primary credential while SKILL.md lists requiredEnvVars: MOBULA_API_KEY — a metadata inconsistency that should be resolved.
Instruction Scope
Instructions are primarily scoped to reading public market and wallet data, evaluating conditions, storing criteria in agent memory, and sending alerts to messaging services. These actions fit the stated purpose. The SKILL.md also tells users to copy templates into ~/openclaw/heartbeat/ and to persist an API key in ~/.zshrc — steps that write to the user's home and shell config and therefore expand the skill's runtime footprint beyond purely remote API calls. The instructions are otherwise high-level and give the agent broad autonomous discretion (scheduling, discovery, multi-condition logic), which is expected for a monitoring skill but worth noting.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be automatically downloaded or written by a package installer. Risk from installation mechanism is low. However the skill expects the user/agent to place heartbeat templates under ~/openclaw/heartbeat/, which requires filesystem writes done by the user or the agent.
Credentials
Functionally the skill needs only a single third-party API credential (MOBULA_API_KEY) which is proportionate to a monitoring integration. However registry metadata omits this requirement while SKILL.md explicitly requires it. The README recommends persisting the API key into ~/.zshrc (echo >> ~/.zshrc), which can increase exposure of the key; users should prefer secure secret storage rather than adding secrets to shell rc files.
Persistence & Privilege
The skill is not always:true and does not request special platform-wide privileges. Autonomous monitoring via heartbeat is the intended behavior of the platform and is described clearly. The only persistence/privilege actions are storing monitoring criteria in agent memory and writing heartbeat templates to ~/openclaw/heartbeat/ (user/agent action), which are within the skill's purpose.
Scan Findings in Context
[no_findings] expected: Scanner had no code files to analyze (instruction-only). Absence of findings is expected but provides limited assurance; review of SKILL.md and README is the primary surface for evaluation.
What to consider before installing
Before installing, confirm these items: (1) Verify the MOBULA_API_KEY requirement — the registry metadata omitted it; ensure you only provide an API key from the official mobula.io dashboard. (2) Avoid putting secrets in plain shell rc files; use secure agent/OS secret storage if available instead of echo >> ~/.zshrc. (3) Inspect the referenced GitHub repo (https://github.com/Flotapponnier/Crypto-date-openclaw) and mobula.io/docs to confirm implementation and privacy practices. (4) Limit notification targets (Telegram/Discord/WhatsApp) to channels/accounts you control, and verify how alerts are delivered (avoid exposing sensitive data in messages). (5) Start with conservative settings (low-scope watchlists, longer heartbeat intervals) and monitor network activity and API usage to ensure only expected endpoints are contacted. (6) If you rely on additional required skills (mobula-prices, mobula-wallet), audit those skills as well. These steps reduce risk from metadata inconsistencies and from persisting API keys in unsafe locations.Like a lobster shell, security has layers — review code before you run it.
latestvk972fdckjd4jd5z0tbta87wa6d83k7xb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.