Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Gold Monitor
v1.0.0台灣銀行黃金存摺價格監控系統。支援價格變動通知、特定價格點位監控與每日收盤報告。
⭐ 0· 23·0 current·0 all-time
bygentoobreaking@openclawchen8-lgtm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (monitor Taiwan Bank gold passbook prices, send notifications, daily report) is plausible, but the SKILL.md metadata requires ffmpeg, node, and Playwright (both pip and npm) in addition to matplotlib. Requiring node and ffmpeg is unexpected for a simple Python-based price monitor; Playwright (browser automation) could be justified if scraping a website, but listing both Python and Node variants (and ffmpeg) is disproportionate and inconsistent with the registry's 'required binaries: none'.
Instruction Scope
The instructions tell the agent/user to install packages and to run a Python script at ~/.qclaw/workspace/scripts/gold_monitor.py and store config/state under ~/.qclaw/*. Those files are not provided by the skill (instruction-only), so the doc expects local persistence and code that doesn't exist. The use of Playwright implies headless browsing/scraping of remote pages (network access) which is within the claimed purpose but should be explicit. Overall the runtime instructions assume creation of persistent scripts and cron jobs and grant the agent broad discretion to install and run tooling on the host.
Install Mechanism
No formal install spec in the registry, but SKILL.md recommends installing via brew (ffmpeg), pip (playwright, matplotlib), and npm (playwright). Those are standard package managers (lower risk than arbitrary downloads), but the duplication (playwright in both pip and npm) and inclusion of ffmpeg are questionable and suggest sloppy documentation or overbroad dependencies.
Credentials
No environment variables or external credentials are requested by the registry. The SKILL.md asks the user to place a Telegram bot token and chat id in a local config file (~/.qclaw/gold_monitor_config.json), which is reasonable and proportional for sending notifications. No unrelated service credentials are requested.
Persistence & Privilege
The skill instructs creating persistent files under ~/.qclaw and setting up scheduled tasks (OpenClaw cron) to run every 10 minutes and daily at 15:30. It does not request 'always: true' and does not modify other skills' configs, but it does require persistent scripts and cron scheduling which increase its runtime footprint and potential attack surface.
What to consider before installing
This skill's purpose (monitoring gold prices and sending Telegram notifications) is plausible, but the SKILL.md has inconsistencies you should resolve before installing: 1) The skill refers to a Python script and state/config files under ~/.qclaw that are not included — ask the publisher for the actual script or source code. 2) It lists ffmpeg and both Python and Node Playwright installs; ask why Node and ffmpeg are needed (these increase attack surface). 3) Installing Playwright will enable headless browsing/scraping — confirm the exact endpoints the skill will access and whether credentials are transmitted. 4) Because the skill wants to persist files and run scheduled tasks, prefer reviewing the script content before running it and store your Telegram bot token only after you trust the code. If you can't obtain the missing code or a trustworthy source, do not install or run these install commands.Like a lobster shell, security has layers — review code before you run it.
latestvk971s1x8cqxq0vpq6qw10djbfn8445ee
License
MIT-0
Free to use, modify, and redistribute. No attribution required.