Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code (watch.mjs, top.mjs, alert.mjs) implements real-time price lookups and alerts via CoinGecko which matches the stated purpose. However, the SKILL.md/README advertise features and payment gating (5 queries/day free, 'sponsor to unlock unlimited') that are not implemented in the code; the SKILL.md also references a rank.mjs script that does not exist in the package. Additionally, registry metadata lists Source: unknown/Homepage: none while package.json points to a GitHub repo and ClawHub homepage — provenance is inconsistent.
Instruction Scope
Runtime instructions are typical CLI usage and only call CoinGecko endpoints. They do not request unrelated system files or credentials. But SKILL.md instructs installing with 'npx @gztanht/cryptowatch' (implying an npm package) while the registry lists no install spec; usage docs reference a non-existent scripts/rank.mjs and also describe monetization/sponsorship behavior that the code does not enforce. These discrepancies broaden the scope of what the agent might do or expect and reduce trust.
Install Mechanism
There is no registry install spec (instruction-only), which is lower-risk. The README/SKILL.md recommend 'npx @gztanht/cryptowatch' which would pull code from npm — that is not automated by the registry entry and could source different code at runtime. The package.json in the bundle looks like a normal Node project (depends on node-fetch). No downloads from unusual URLs are present in the included files.
Credentials
The skill requests no environment variables or secrets and only requires node/npm binaries — this is proportional to a Node-based CLI that talks to CoinGecko. The code does not try to read unrelated system config or credentials.
Persistence & Privilege
The skill does write a local alerts JSON (config/alerts.json) in its own directory when users add alerts — that is expected for a local CLI. It does not request always: true, modify other skills, or access system-wide config.
What to consider before installing
This package largely does what it claims (fetches CoinGecko data and stores local alerts), but several red flags mean you should be cautious:
- Do not send money based on the README/SKILL.md 'sponsorship' claim without verifying the project. The code contains wallet addresses but there is no implemented enforcement or unlock mechanism — the donation request could be legitimate or opportunistic. Never send funds to an unverifiable recipient.
- SKILL.md mentions scripts/rank.mjs that are not present and advertises a paid tier (5 queries/day free) that the code does not enforce — this inconsistency suggests sloppy packaging or possible misrepresentation.
- Registry metadata says 'Source: unknown' and 'Homepage: none' while package.json points to GitHub/ClawHub. Verify the upstream repository (check the GitHub URL, npm package, and commit history) before trusting or installing. Confirm the maintainers and recent activity.
- Because the README suggests installing via 'npx', if you run that command you will fetch whatever is published to npm at that name; double-check the npm package contents and verify the package author. Consider auditing the published npm package, not just these bundled files.
- The CLI writes config/alerts.json to its directory — this is local persistence only, but if you run it from a sensitive directory it will create files there; run it in an isolated folder or sandbox.
Recommended next steps: inspect the upstream GitHub repo and the npm package (if published), confirm the vendor identity, run the scripts in a sandbox/container and monitor outbound network calls (they should only target api.coingecko.com), and do not transfer any funds unless you can independently verify the project's legitimacy.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
₿ Clawdis
Binsnpm, node
latest
₿ CryptoWatch - 加密货币监控
Never Miss a Pump - 实时追踪币价,猎杀每个波动!
Overview
CryptoWatch 实时监控主流加密货币价格(BTC、ETH、SOL 等),支持价格预警、涨跌幅追踪、市值排行等功能。数据来自 CoinGecko API(免费、无需 API Key)。
Features
- 📊 实时价格 - 秒级更新,支持 100+ 加密货币
- 🚨 价格预警 - 突破设定价位自动提醒
- 📈 涨跌幅 - 24h/7d/30d 涨跌追踪
- 💰 市值排行 - 按市值/音量排序
- 🔔 多币种 - BTC、ETH、SOL、BNB、XRP 等主流币
- 🌐 多法币 - USD、CNY、EUR、JPY 支持
Installation
npx @gztanht/cryptowatch
Usage
查看实时价格
# 查询单个币种
node scripts/watch.mjs btc
# 查询多个币种
node scripts/watch.mjs btc,eth,sol
# 查看所有主流币
node scripts/watch.mjs --top 20
设置价格预警
# BTC 突破 $100,000 提醒
node scripts/alert.mjs btc --above 100000
# ETH 跌破 $3,000 提醒
node scripts/alert.mjs eth --below 3000
# 查看已设置的预警
node scripts/alert.mjs --list
查看涨跌幅排行
# 24 小时涨幅榜
node scripts/rank.mjs --period 24h
# 7 日跌幅榜
node scripts/rank.mjs --period 7d --order asc
Configuration
编辑 config/coins.json 添加自定义币种:
{
"watchlist": [
{"id": "bitcoin", "symbol": "BTC", "name": "Bitcoin"},
{"id": "ethereum", "symbol": "ETH", "name": "Ethereum"},
{"id": "solana", "symbol": "SOL", "name": "Solana"}
]
}
API Reference
- CoinGecko API - https://www.coingecko.com/en/api
- 免费 tier:10-50 calls/min,无需 API Key
- 数据延迟:< 30 秒
Support
- 📧 Email: support@cryptowatch.shark
- 💬 Telegram: @CryptoWatchBot
- 🦈 赞助:USDT (ERC20):
0x33f943e71c7b7c4e88802a68e62cca91dab65ad9
License
MIT © 2026 gztanht
Comments
Loading comments...