Earthquake Monitor
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: earthquake-monitor Version: 1.1.1 The skill utilizes 'child_process.exec' to execute shell commands (curl) for data retrieval in 'src/cenc.js', 'src/cwa.js', and 'src/jma.js'. While the URLs are currently hardcoded to 'api.wolfx.jp', using shell execution for network requests is a high-risk practice that introduces potential command injection vulnerabilities. Furthermore, 'SECURITY.md' and 'src/config.js' explicitly state that encryption for webhook URLs was removed in v1.1.1, resulting in sensitive credentials being stored in plaintext within 'config.json'.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user enters a webhook URL, a local file may contain a token that can post to that messaging webhook, despite the main instructions implying it is encrypted.
The documented webhook example contains an access token and claims encrypted storage, but src/config.js stores config.webhook directly into config.json; SECURITY.md also says encryption was removed.
await config({ webhook: 'https://oapi.dingtalk.com/robot/send?access_token=xxx' }) ... Stored encrypted, decrypted only in memoryTreat webhook URLs as secrets, restrict config.json permissions, avoid configuring sensitive webhooks unless needed, and update the documentation or implement real secret storage.
Users may believe alerts come directly from official agencies, while request privacy and data integrity depend on an undisclosed third-party service.
The documentation presents CENC/CWA/JMA as official government data sources, but the code fetches through api.wolfx.jp, a third-party intermediary also used by the CWA/JMA modules.
execPromise('curl -s --max-time 10 "https://api.wolfx.jp/cenc_eqlist.json"')Disclose the exact API intermediary and privacy/reliability implications, or fetch directly from official agency endpoints where possible.
The skill will run local curl commands when fetching earthquake data.
The skill uses local shell execution to run fixed curl commands for data fetching; this is purpose-aligned and does not include user-controlled shell arguments.
const { exec } = require('child_process'); ... execPromise('curl -s --max-time 10 "https://api.wolfx.jp/jma_eqlist.json"')Keep command arguments fixed and consider using Node's native fetch API to reduce shell-execution exposure.
After starting monitoring, the skill will continue making periodic network checks while the host process is alive.
start() creates recurring background checks until stopMonitor() clears the interval; this is disclosed proactive monitoring and has a stop path.
monitorInterval = setInterval(async () => { await checkAndNotify(onAlert); }, interval); ... clearInterval(monitorInterval);Start monitoring only when desired and call stop() when continuous polling is no longer needed.
Local users or processes with access to the skill directory may read or alter saved monitoring settings, including any configured webhook.
The skill persists monitoring location, alert settings, source toggles, and optional webhook data in a local config file reused across calls.
const CONFIG_PATH = path.join(__dirname, '..', 'config.json'); ... webhook: null ... fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
Protect config.json with appropriate file permissions and clear sensitive values before sharing or publishing the skill directory.