Crypto Sniper Oracle
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: crypto-sniper-oracle Version: 3.3.0 The skill bundle is classified as benign. The code and documentation consistently align with the stated purpose of fetching public market data, performing quantitative analysis, generating reports, and optionally sending them to the user's Telegram. Sensitive environment variables (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID) are explicitly declared as optional credentials in SKILL.md and are handled appropriately within `reporter.py` for their stated purpose. Subprocess calls in `reporter.py` are safely constructed as lists, preventing shell injection. File system operations are confined to the `/workspace/` directory for cache, logs, and reports. There is no evidence of data exfiltration to unauthorized third parties, malicious execution, persistence mechanisms initiated by the skill's code, or prompt injection attempts against the OpenClaw agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill will contact Binance for market data and, if Telegram is enabled, send report content to Telegram.
The skill is explicitly designed to make external API requests for public market data and optional Telegram delivery; this is purpose-aligned but worth noticing.
network_behavior:\n makes_requests: true\n endpoints_allowed:\n - "https://api.binance.com/api/v3/*"\n - "https://api.telegram.org/bot*"
Use it only if you are comfortable with those network calls, and keep Telegram disabled unless you need alerts.
If enabled, the bot token and chat ID allow the skill to send messages to the configured Telegram destination.
The reporter uses optional Telegram credentials from environment variables to send messages through a user-provided bot.
TELEGRAM_BOT_TOKEN = os.getenv("TELEGRAM_BOT_TOKEN")\nTELEGRAM_CHAT_ID = os.getenv("TELEGRAM_CHAT_ID")\nTELEGRAM_ENABLED = bool(TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID)Store the bot token securely, use a dedicated bot/chat where possible, and unset or rotate the token if you no longer use the skill.
Users might over-trust generated market signals and make financial decisions based on them.
The skill can produce actionable trading-suggestion language even though it does not execute trades.
🎯 Suggested Action:\nConsider LONG entry if other signals align.
Treat the reports as analytical inputs only, verify with independent sources, and do not connect them to automated trading without separate controls.
If the user installs the cron jobs, the skill can continue making API requests, writing reports/logs, and sending Telegram alerts on a schedule.
The documentation recommends optional cron entries that can keep the reporter running periodically.
*/15 * * * * /usr/bin/python3 /workspace/skills/crypto-sniper-oracle/reporter.py --mode alerts --symbols BTCUSDT,ETHUSDT,SOLUSDT
Add only the cron jobs you want, review them with `crontab -l`, and remove them when scheduled monitoring is no longer needed.