csgo
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill is not actually credential-free; using it may require giving the agent access to an API token for the CSQAQ service.
The skill asks the user to place a CSQAQ API token in config.json, while the registry metadata declares no primary credential or required environment variables.
"apiToken": "你的CSQAQ_API_TOKEN"
Use a dedicated, least-privilege API token if available, avoid sharing the config file, and revoke the token if it is no longer needed.
Notification messages could reveal the items and market signals you are tracking to the configured chat or webhook destination.
The skill supports sending alerts through external notification webhooks such as DingTalk and Feishu, which may include monitored item names, prices, and alert conditions.
"webhook": "https://oapi.dingtalk.com/robot/send?access_token=你的TOKEN"
Only configure trusted webhook destinations, protect webhook tokens like credentials, and review what alert content will be sent.
Your watchlist and alert preferences may persist across sessions and could influence later monitoring behavior.
The skill documents persistent storage of monitor configuration, price history, and notification logs, with monitor configuration retained permanently.
openclaw.memory.set('csgo_monitor_config', monitors);Review and clear stored monitor configurations or notification logs when you no longer want them retained.
If implemented, the skill may continue checking prices and sending alerts on a schedule after initial setup.
The skill describes recurring scheduled monitoring and reporting tasks, including checks every 30 minutes and daily reports.
"*/30 * * * *": "checkAllMonitors"
Confirm scheduled monitoring is desired, set reasonable intervals and quiet hours, and disable monitors you no longer need.
A user may need additional files or package sources that are not represented in the reviewed artifact set.
The instructions reference npm installation and Node scripts such as test-api.js, but the provided manifest contains only SKILL.md and no package or script files.
npm install
Before running npm or Node commands, verify the source of any missing files, inspect package.json and lockfiles, and avoid running untrusted code.