Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Crypto Alert
v1.0.0Monitor cryptocurrency prices and send alerts when thresholds are crossed. No API key required — uses Binance public API. Supports BTC, ETH, SOL, and 10+ tok...
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (monitor prices, send alerts) align with the included scripts: check-price.sh queries Binance and set-alert.sh/check-alerts.sh manage a JSON state file. However SKILL.md instructs the user to edit scripts/config.sh to set a Telegram bot token/chat ID for alerts, but no scripts/config.sh is included and none of the shipped scripts implement sending alerts via Telegram. This is a mismatch between the claimed alert-delivery feature and the actual code.
Instruction Scope
Runtime instructions are limited and explicit (run the provided scripts). The scripts only access the user's home directory (~/.crypto-alert-state.json), call public APIs (CoinGecko and Binance) over the network, and invoke python3/curl. They do not read other system files or environment variables beyond HOME, nor do they exfiltrate data to unknown endpoints. The SKILL.md's Telegram instructions refer to a config file that does not exist and the code does not source a config, which is misleading.
Install Mechanism
No install spec and no external downloads — the skill is instruction-only with included shell/Python scripts. Nothing is written to disk by an installer; the only runtime write is the state file in the user's home directory, which is expected for this functionality.
Credentials
The skill declares no required credentials and the code does not require secrets. SKILL.md suggests configuring a Telegram bot token/chat ID, but the repository lacks that config and the scripts don't use it. Requesting no credentials is proportionate to the visible code, but the doc could mislead users into providing a token they don't need or the author may have forgotten to include alert-sending functionality.
Persistence & Privilege
The skill does not request persistent platform privileges (always:false). It writes a single JSON state file under the user's home directory (~/.crypto-alert-state.json) which is consistent with its purpose. It does not modify other skills or system-wide settings.
What to consider before installing
This package appears to be a simple, local crypto-price checker that stores alerts in ~/.crypto-alert-state.json and queries public Binance/CoinGecko APIs. Before installing or running it:
- Review the scripts yourself (they are short and included). They use curl and python3 and will create/modify ~/.crypto-alert-state.json.
- Note SKILL.md mentions Telegram alerts and a scripts/config.sh file: that file is missing and none of the scripts send Telegram messages. If you expect push alerts, do not assume they exist — either implement/verify Telegram sending yourself or contact the author.
- Run the scripts in a restricted environment (non-root user or container) if you are unsure. Because they make network calls, be aware they will contact public Binance and CoinGecko endpoints.
- If you plan to add Telegram support, check where/when tokens would be read and ensure you store tokens securely rather than embedding them in world-readable files.
- If you need stronger assurance, ask the publisher for the missing config implementation or for an updated release that implements alert delivery as described.Like a lobster shell, security has layers — review code before you run it.
latestvk97f17t9h8spgd7228v12q9s6n841byd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.