Skillv1.0.0

ClawScan security

WSB 热股日报 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 3, 2026, 5:24 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it claims (fetch ApeWisdom WSB data, format a digest, and push to Discord via an existing OpenClaw install); its files and instructions are consistent with that purpose and it does not request unrelated credentials or install external code during install.
Guidance: This skill is internally consistent with its stated purpose but do these checks before installing: 1) Edit TARGET_CHANNEL_ID and OPENCLAW_BIN to match your environment; verify the path to openclaw and that OpenClaw is already configured with Discord access (the skill calls the local openclaw CLI to send messages). 2) Prefer running the cron job as a non-root user and change example /root paths in the documentation to your home directory to avoid unnecessary use of root. 3) Review and be comfortable with outputs written to /tmp (raw and chunk files) and the log at /tmp/wsb-digest.log; these contain the generated digest. 4) The scripts assume Node.js v18+ is available on PATH; install Node or adjust PATH if needed. 5) The code is simple and fetches only apewisdom.io; nevertheless review any integration (OpenClaw) that holds Discord tokens/credentials before granting it send permissions. If you want extra assurance, run the scripts manually once (not via cron) and inspect the generated /tmp/wsb-latest.json and log to confirm behavior.

Review Dimensions

Purpose & Capability: okName/description match the included scripts: apewisdom-wsb.js fetches ApeWisdom data and generates a markdown/json digest; wsb-digest-trigger.sh splits the digest and sends it to Discord via the user's OpenClaw CLI. No unrelated services, binaries, or credentials are requested.
Instruction Scope: noteSKILL.md and scripts restrict actions to fetching from apewisdom.io, formatting output, writing temp files under /tmp and invoking the local OpenClaw CLI to send messages. The instructions assume the user will configure TARGET_CHANNEL_ID and OPENCLAW_BIN and add a cron job. Minor scope notes: examples and defaults use /root paths and set HOME=/root, which are assumptions rather than required functionality; the code writes JSON to /tmp which the user should be aware of.
Install Mechanism: okThere is no install spec or network install; this is an instruction + script skill with code shipped in the repo. No downloads from arbitrary URLs or archives are performed by the skill itself.
Credentials: noteThe skill declares no required env vars or credentials. It relies on an existing OpenClaw installation (openclaw CLI) to perform Discord sends. That means Discord credentials are expected to be configured in the user's OpenClaw environment — reasonable for this purpose, but users should verify OpenClaw’s stored tokens/permissions separately. The scripts default to root-centric paths (/root/...), which is a usability assumption rather than an extra secret request.
Persistence & Privilege: okThe skill is not force-enabled (always:false). Persistence is user-driven via crontab entries described in SKILL.md; the skill does not modify other skill configs or system-wide settings on its own.