Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
signal-track
v0.0.3Track persistent topics (stocks, companies, AI, and policy events) and monitor them continuously. Use this for recurring updates, trend monitoring, and struc...
⭐ 1· 54·0 current·0 all-time
byLucasWU@lucas-acc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (topic tracking, continuous monitoring) align with the included CLI and src/cli.js. The code talks exclusively to the declared API base (https://younews.k.sohu.com/) and implements the CLI commands documented in SKILL.md. Minor metadata mismatch: the registry metadata claims no required config paths, but SKILL.md and the code both declare/read/write ~/.openclaw/openclaw.json and a legacy ~/.signal-track/config.json.
Instruction Scope
Runtime instructions and code only access home-directory config files (~/.openclaw/openclaw.json or ~/.signal-track/config.json), perform HTTP requests to the declared API, and print results. There is no instruction to read arbitrary system files, environment secrets, or forward data to unexpected endpoints. Note: SKILL.md explicitly states it will read/write the user's openclaw config, which is broader than many skills and worth user awareness.
Install Mechanism
No remote install downloads or extract steps; the package is instruction-only in the registry and contains a small Node.js CLI implementation. Installation described is local npm usage (npm install / npm install -g .) which is standard for Node CLIs included in the repo.
Credentials
The skill does not request unrelated environment variables or external credentials. It stores and uses a service API key (via login --api-key) and persists it into the user's config file. Storing the API key in plaintext JSON inside ~/.openclaw/openclaw.json or ~/.signal-track/config.json is expected for this CLI but is a sensitive action users should knowingly accept.
Persistence & Privilege
The skill does not request always:true and will not be force-added. It does modify a per-user config file in the home directory to persist login state; when present it writes to the openclaw config under skills.entries.signal-track or falls back to the legacy path. This is normal for a CLI that persists credentials, but it does alter a shared config file under ~/.openclaw which could be visible to other tools — users should be aware.
Assessment
This skill appears to do what it says: a Node.js CLI that talks to the YouNews API and persists an API key to a home-directory config file. Before installing, review and accept that: (1) you will provide an API key via `signal-track login --api-key <key>`; (2) the key will be stored in plaintext JSON at ~/.openclaw/openclaw.json (or legacy ~/.signal-track/config.json); and (3) the tool will create/modify those files. If you are concerned, inspect src/cli.js locally, run the CLI in a restricted environment first, or create a dedicated/limited YouNews API key rather than using a high-privilege account.src/cli.js:84
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk975ch0bs2gnjjc2gf9jtm2er183k15q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.