Crypto Market
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the dependency adds third-party code to the user's Python environment.
The skill depends on installing the external ccxt package without a pinned version. This is central to the tool's purpose, but users should recognize the dependency and its provenance.
pip3 install ccxt --user
Install ccxt from a trusted package index, consider pinning a known version, and use a virtual environment if possible.
A user could unnecessarily provide high-impact exchange API keys if they follow the advanced reference outside the price-alert use case.
The reference documentation shows how to configure private exchange API credentials for ordering or account access, even though the main skill metadata declares no credential requirement and the visible script only uses public market-data calls.
如果需要私有 API(下单、查看账户等): ... 'apiKey': 'YOUR_API_KEY', 'secret': 'YOUR_SECRET_KEY'
Do not provide trading API keys for simple price monitoring. If private exchange access is ever needed, use least-privilege, preferably read-only keys and do not paste secrets into chats or skill files.
Anyone with access to the local account or config directory could see or modify the user's alert strategy.
The script persists alert rules and status across runs in a local JSON file. This is purpose-aligned, but it stores the user's watched pairs and thresholds.
CONFIG_DIR = os.path.expanduser("~/.config/crypto")
ALERTS_FILE = os.path.join(CONFIG_DIR, "alerts.json")Treat the alert file as local user data; review or delete ~/.config/crypto/alerts.json if you no longer want those alerts stored.