Crypto Regime Report
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says—generate crypto market reports from public data—but optional alerting uses Telegram credentials and recurring schedules that users should knowingly configure.
This looks safe for generating read-only crypto market reports from public data. Before using optional alerts or scheduling, review the Telegram wrapper, confirm the bot token/chat are appropriate, install jq if needed, and keep cron jobs limited to reports you actually want.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the report contacts OKX and downloads public market data for the configured watchlist.
The skill uses a local curl subprocess to fetch public OKX API data. This is central to the market-report purpose and uses argument-list execution rather than a shell.
subprocess.run(["curl", "-s", "--connect-timeout", "10", "--max-time", "30", url], capture_output=True, text=True, timeout=35)
Use trusted watchlist/config values and understand that running the skill makes external market-data requests.
If you use the alert wrapper, it will access your Telegram bot settings and send generated crypto alerts to the configured chat.
The optional alert wrapper reads a Telegram bot token and chat ID from ~/.openclaw/openclaw.json or environment variables and uses them to send alert text to Telegram.
BOT_TOKEN=$(cat "$OPENCLAW_CONFIG" | jq -r '.channels.telegram.botToken // empty') ... curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage"Only enable Telegram alerts if you trust the skill with that bot token and chat ID; prefer a bot token limited to the intended notification chat.
Telegram alerting may fail unless jq is installed, even though the main report script can run with the declared binaries.
The alert wrapper depends on jq, while the registry requirements declare only python3 and curl. This is an undeclared optional dependency rather than evidence of malicious behavior.
BOT_TOKEN=$(cat "$OPENCLAW_CONFIG" | jq -r '.channels.telegram.botToken // empty') ... MESSAGE=$(echo "$OUTPUT" | jq -sRr @uri)
Install jq only if you plan to use the Telegram alert wrapper, or update the skill metadata to declare it.
If you add the cron jobs, reports can run automatically at scheduled times without a fresh prompt each time.
The skill documents optional recurring OpenClaw cron jobs. This is disclosed and user-configured, but it does create ongoing automated agent activity.
openclaw cron add --name "Morning Regime Report" --schedule "0 6 * * *" ... --message "Run the crypto regime morning report"
Only add scheduled jobs you actually want, and remove or disable them if you no longer need recurring crypto reports.