Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
research-monitor
v1.0.0뉴스, 트렌드, 경쟁사 동향, 기술 업데이트를 키워드 기반으로 자동 수집하고 요약해 일일 및 주간 리포트를 제공합니다.
⭐ 0· 49·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes crawling, RSS reading, web-search API usage, and Telegram notifications. However, the skill metadata declares no required environment variables, credentials, or install steps. Sending Telegram messages and calling web APIs normally requires a bot token/API key; the absence of any declared credentials is inconsistent with the stated capabilities.
Instruction Scope
Runtime instructions ask the agent to perform automated crawling, change detection, and to send daily/weekly reports via Telegram. They do not specify which web search API, how Telegram will be authenticated, or what data is included in reports. Automatic data transmission to an external endpoint (Telegram) is implied but not authorized in the metadata, creating scope and data-flow ambiguity.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes on-disk risk. There is nothing being downloaded or installed by the skill itself according to the manifest.
Credentials
The skill will plausibly need at least a Telegram bot token and likely API keys for web search or RSS services, but requires.env lists none. That mismatch means required secrets are not declared and the agent or user might be asked for credentials at runtime or the skill may attempt to use connectors with broader access than necessary.
Persistence & Privilege
always is false (good). The SKILL.md requests scheduled automatic runs (daily/weekly/real-time alerts). Autonomous invocation is allowed by default — this is normal — but the manifest does not explain how scheduling is implemented or where credentials/schedules are stored. Automatic external notifications combined with undeclared creds increases the risk surface.
What to consider before installing
This skill claims to crawl news and send Telegram alerts but does not state required credentials or how scheduling/notifications are implemented. Before installing: 1) Ask the publisher which Telegram bot token and web-search/RSS API keys are needed, and why those credentials are necessary. 2) Require the skill to declare required env vars and all external endpoints it will contact. 3) Confirm where scheduled jobs run and whether you can review/log outgoing messages. 4) Prefer a version with a public source/homepage and a trusted owner; do not supply broad credentials (AWS, GitHub, etc.) or reuse high-privilege tokens. If you must test, restrict the bot token to a dedicated low-privilege Telegram bot and monitor network activity and messages.Like a lobster shell, security has layers — review code before you run it.
latestvk97a8f8cvwt13y3wye9eqs79fs83hc49
License
MIT-0
Free to use, modify, and redistribute. No attribution required.