Hype Scanner
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent market-alert scanner, but it is designed to run continuously and auto-send financial hype alerts, so users should install it only if they want that behavior.
Before installing, review the full scanner-ai.js, run it from a dedicated folder, and enable the scheduled task/Telegram cron only if you want continuous background market scanning. Treat its alerts as speculative leads, not guaranteed trading signals.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The scanner can continue running in the background and producing alerts even when the user is not actively watching it.
The skill is intentionally designed to persist as a scheduled background scanner. This is disclosed and purpose-aligned, but it will keep operating until the user disables the scheduled task or cron.
Built for autonomous 24/7 operation... Trigger: Every 15 minutes... Run whether logged in or not
Create the scheduled task/cron only if you want continuous scanning, name it clearly, and document how to pause or remove it.
If configured, the agent may post alert messages to Telegram automatically on a schedule.
The cron workflow assumes the agent has delegated authority to send Telegram messages and update the local alerts file. This is disclosed and aligned with alerting, but it crosses into an external messaging account/tool.
"If pending alerts exist, send them to Telegram, then mark as seen"
Confirm the Telegram destination and permissions before enabling the cron, and add manual review if automatic posting is not desired.
A manipulated post or token promotion could increase the chance of a misleading hype alert.
Untrusted Reddit post titles are embedded into the Ollama prompt that decides whether to send an alert. Promotional or adversarial social content could try to influence the model's verdict.
Top posts: ${candidate.reddit.posts.slice(0,3).map(p => `"${p.title}" ...`)} ... VERDICT: SEND_ALERT or IGNORETreat social content as untrusted, add prompt-injection-resistant framing, and manually verify alerts before making financial decisions.
Users might treat alerts as reliable financial advice instead of speculative signals.
The documentation makes very strong performance and trading-safety claims. The artifacts do not show trading execution, but users could overtrust the alerts.
Only real hype passes — zero noise... Zero false positives that triggered a bad trade
Use alerts as research leads only; verify independently and avoid automated trading based solely on this scanner.
Users have less provenance information for the script they are asked to run continuously.
The skill includes a runnable Node.js scanner but lacks provenance and a formal install declaration. This is not suspicious by itself, but users should review the local script before scheduling it.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Inspect the full scanner-ai.js, confirm expected endpoints and file paths, and run it from a dedicated folder before enabling persistence.