Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hype Scanner
v1.0.0Real-time crypto and stock hype detection using Reddit, CoinGecko, DEXScreener, and StockTwits. AI-powered signal validation with local Ollama model. Only re...
⭐ 0· 494·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (crypto/stock hype scanner) align with the included Node.js scanner and SKILL.md. The scanner queries Reddit, CoinGecko, DEXScreener, and StockTwits and calls a local Ollama instance for analysis — these are coherent with the stated purpose. It writes alerts.json/state/log files locally (expected for this task).
Instruction Scope
SKILL.md and the code restrict actions to scanning public APIs, local Ollama (http://localhost:11434), and writing alerts/state/logs to the scanner directory. The OpenClaw cron example instructs the agent to read alerts.json and send Telegram messages; the skill itself does not include a Telegram integration or declare Telegram credentials, so the alert-transport step depends on other agent configuration. The provided Windows Task Scheduler instructions run the scanner under the current user and ask to 'Run whether logged in or not' — this implies stored credentials for the scheduler and elevated persistence that users should be aware of.
Install Mechanism
No install spec or external downloads are used — the skill is instruction-only plus a Node.js script that uses built-in Node modules (fs/http/https). That is low-risk from an install mechanism perspective (nothing arbitrary is downloaded or executed beyond Node itself).
Credentials
The skill declares no required environment variables or credentials, and its network calls go to public APIs and localhost Ollama. One mismatch to note: SKILL.md expects alerts to be delivered via Telegram, but the skill does not declare or request Telegram credentials — responsibility for messaging is delegated to the agent/OpenClaw environment. Ensure the Telegram (or other) integration used to forward alerts is configured elsewhere and only accessible with appropriate credentials.
Persistence & Privilege
always:false and no system-wide configuration changes are requested. The scanner writes files (alerts.json, scanner-state.json, scanner-ai.log) in its own directory and relies on a scheduler for periodic execution. It does not modify other skills or agent config in the code shown.
Assessment
This skill appears to do what it claims: polling public market/social APIs, scoring candidates, and using a local Ollama instance for final validation. Before installing: 1) Ensure you run it on a machine with Node.js and a local Ollama instance (the code expects http://localhost:11434 and a specified model); if Ollama is missing the scanner will fall back to rules. 2) Be aware it writes alerts.json, scanner-state.json, and logs to its directory — run it under a limited user and monitor those files. 3) The SKILL.md's alert delivery (Telegram) is an external step — configure your Telegram token or other notifier securely in your agent/system; the skill does not store or request that token. 4) The Task Scheduler / cron guidance may require stored OS credentials for 'Run whether logged in or not' — consider using a less-privileged scheduled account. 5) If you need higher assurance, provide the full (non-truncated) scanner-ai.js for review and consider running it in an isolated environment (VM/container) while you validate behavior and network calls.Like a lobster shell, security has layers — review code before you run it.
latestvk97741jjp60symtzhv794c57m581r1rm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.