Earthquake Monitor
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does earthquake monitoring, but it needs review because its code contradicts security and data-source claims about webhook protection and official data providers.
Before installing, confirm you are comfortable with earthquake data being fetched via api.wolfx.jp rather than directly from official agencies. Do not enter sensitive webhook URLs unless you can protect the local config file, and use stop() when you no longer want continuous monitoring.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user enters a webhook URL, a local file may contain a token that can post to that messaging webhook, despite the main instructions implying it is encrypted.
The documented webhook example contains an access token and claims encrypted storage, but src/config.js stores config.webhook directly into config.json; SECURITY.md also says encryption was removed.
await config({ webhook: 'https://oapi.dingtalk.com/robot/send?access_token=xxx' }) ... Stored encrypted, decrypted only in memoryTreat webhook URLs as secrets, restrict config.json permissions, avoid configuring sensitive webhooks unless needed, and update the documentation or implement real secret storage.
Users may believe alerts come directly from official agencies, while request privacy and data integrity depend on an undisclosed third-party service.
The documentation presents CENC/CWA/JMA as official government data sources, but the code fetches through api.wolfx.jp, a third-party intermediary also used by the CWA/JMA modules.
execPromise('curl -s --max-time 10 "https://api.wolfx.jp/cenc_eqlist.json"')Disclose the exact API intermediary and privacy/reliability implications, or fetch directly from official agency endpoints where possible.
The skill will run local curl commands when fetching earthquake data.
The skill uses local shell execution to run fixed curl commands for data fetching; this is purpose-aligned and does not include user-controlled shell arguments.
const { exec } = require('child_process'); ... execPromise('curl -s --max-time 10 "https://api.wolfx.jp/jma_eqlist.json"')Keep command arguments fixed and consider using Node's native fetch API to reduce shell-execution exposure.
After starting monitoring, the skill will continue making periodic network checks while the host process is alive.
start() creates recurring background checks until stopMonitor() clears the interval; this is disclosed proactive monitoring and has a stop path.
monitorInterval = setInterval(async () => { await checkAndNotify(onAlert); }, interval); ... clearInterval(monitorInterval);Start monitoring only when desired and call stop() when continuous polling is no longer needed.
Local users or processes with access to the skill directory may read or alter saved monitoring settings, including any configured webhook.
The skill persists monitoring location, alert settings, source toggles, and optional webhook data in a local config file reused across calls.
const CONFIG_PATH = path.join(__dirname, '..', 'config.json'); ... webhook: null ... fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
Protect config.json with appropriate file permissions and clear sensitive values before sharing or publishing the skill directory.