ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Market Monitor

v2.0.0

Comprehensive cryptocurrency market monitoring and economic data analysis. Use when tracking crypto prices, market sentiment, economic data releases, or anal...

0· 212·0 current·0 all-time
by@kjjjj0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts and docs implement crypto price monitoring, an economic calendar, and impact analysis as advertised. However there are oddities: scripts hardcode absolute /root/.openclaw/workspace/* paths while INSTALL.md instructs creating ~/.openclaw/workspace/crypto — the mixed paths are inconsistent and may cause the skill to read/write under root rather than the user's home. The code also references external services (CoinGecko, Binance, TradingEconomics) and Telegram notifications, which are legitimate for this purpose but the skill does not declare the API keys or tokens that would normally be required.
!
Instruction Scope
SKILL.md tells the agent to run the included scripts and set up cron jobs; the scripts perform network calls to public crypto APIs and create/read/write JSON data files. They also insert absolute sys.path entries (e.g. '/root/.openclaw/workspace/crypto/economic' and '/root/.openclaw/workspace/economic'), which can cause the runtime to import code from unexpected filesystem locations. The monitoring script claims to send reports to Telegram but no env vars or config for Telegram credentials are declared; that behaviour is not fully documented and is truncated in the bundle, so the destination and authentication are unclear.
Install Mechanism
No install spec (instruction-only plus included scripts). That is the lower-risk pattern for install mechanics. INSTALL.md uses standard unzip/copy/chmod steps and suggests pip installing a few Python packages. Nothing in the install instructions downloads arbitrary binaries from unknown hosts.
!
Credentials
The skill declares no required environment variables or credentials, yet the code clearly expects network access to CoinGecko/Binance and mentions optional TradingEconomics API keys and Telegram integration. The absence of declared TELEGRAM_BOT_TOKEN/CHAT_ID or other API credentials is an inconsistency: running the code as-is may either fail or attempt to send data in an undocumented way. Also the code writes actual_data.json into absolute paths under /root — requiring write access to system locations that are disproportionate to a user-level monitoring tool.
!
Persistence & Privilege
The skill will create directories and files (actual_data.json, logs) and suggests cron jobs to run every 30 minutes and daily reports. While it does not request 'always: true' or any platform-level privilege, the hardcoded use of /root/.openclaw/workspace paths means it may attempt to persist data under root-owned locations or behave differently when run as non-root. That filesystem/persistence behavior is not aligned with the user's INSTALL.md which uses the user's home directory.
What to consider before installing
This package appears to implement the advertised crypto and economic monitoring features, but several inconsistencies deserve attention before you install or run it: - Hardcoded root paths: The Python modules use absolute paths (e.g. /root/.openclaw/workspace/...) while INSTALL.md uses ~/.openclaw/.... That can cause the code to create or write files under /root (which may fail or be surprising). Search the scripts for '/root/.openclaw' and change them to a configurable, user-writable workspace (or set up the intended workspace path explicitly). - Undeclared credentials: The code references Telegram notifications and an optional TradingEconomics API. The skill's metadata declares no environment variables. Inspect the crypto_monitor_telegram.py tail (the sending logic) to see whether it expects TELEGRAM_BOT_TOKEN, CHAT_ID, or other secrets, and supply them via a safe config (not environment variables you don't control). Do not run on a machine that contains secrets until you confirm where the skill will send data. - Network behavior: The scripts call CoinGecko and Binance APIs and may print or send their outputs. If you need to audit outbound endpoints, run the code in a network-restricted sandbox first. - Persistence & cron: INSTALL.md suggests cron entries that will run the scripts periodically. Only install cron jobs after you confirm the scripts behave as expected and write logs/data where you expect. Recommendations before installing: 1) Review the full crypto_monitor_telegram.py send logic (it was truncated); verify which external endpoints receive data and whether credentials are required. 2) Replace hardcoded /root paths with a configurable workspace path (e.g., use ~/.openclaw/workspace/crypto or a path you control). 3) Run the scripts in an isolated container or VM first to confirm behavior and network traffic. 4) If you intend to enable Telegram notifications, set up a dedicated bot and chat and store the token securely (and only after you inspect the sending code). 5) If you are not comfortable doing these code changes, avoid installing the skill on production or privileged hosts. Given these mismatches and missing declarations the skill is best treated cautiously; the issues are more likely sloppy engineering than outright malice, but they increase risk and should be resolved before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk975wkxhvsaav3cbdw6dqw62yh82vdma

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments