ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

BTC Price Monitor

v1.0.0

Fetches the current Bitcoin price from CoinGecko and sends it to Telegram, with optional alerts if price falls below a set threshold.

0· 38·0 current·0 all-time
by@jesusreb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description, SKILL.md, and the script all align: fetch price from CoinGecko and send to Telegram. However the registry metadata lists no required environment variables while SKILL.md and scripts/main.py require TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID — this metadata mismatch is inconsistent and could confuse automated permission/credential checks.
Instruction Scope
SKILL.md instructs running python scripts/main.py and documents the two Telegram env vars plus an optional PRICE_THRESHOLD. The runtime instructions and code only call CoinGecko and the Telegram API; they do not reference unrelated files, system paths, or other credentials.
Install Mechanism
There is no install spec (instruction-only skill with included files). A requirements.txt pins requests==2.31.0 which is consistent with the code. No downloads from arbitrary URLs or archive extraction are present.
!
Credentials
The script legitimately needs TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID (and optionally PRICE_THRESHOLD). Those are minimal and appropriate for the stated purpose, but the registry metadata not declaring them is a mismatch. The code contains placeholder defaults that will prevent sending messages if not set, which is safe but underscores the metadata omission.
Persistence & Privilege
The skill does not request persistent installation privileges (always is false), does not modify other skills or system configuration, and does not attempt to run autonomously beyond the platform default.
What to consider before installing
This skill appears to implement exactly what it claims (gets BTC price from CoinGecko and posts to Telegram). Before installing: 1) Note that the registry metadata omitted required env vars — you must set TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID for it to work. 2) Review the included scripts/main.py yourself (or run it in an isolated environment) and do not paste your bot token publicly. 3) Install the requests dependency (pip install -r requirements.txt) before running. 4) The README and SKILL.md include donation addresses (not used by the code) — those are cosmetic. 5) If you plan to run this automatically, be aware it will send messages via your Telegram bot (so the bot token grants messaging ability); only provide tokens you trust and consider running the skill in an isolated account or chat. The metadata inconsistency is the main issue; if the publisher provided a homepage or source repo it would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk979jyc6m1wnf6r5qwa3wpwz3d83yh9c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments