Back to skill
Skillv1.1.0
ClawScan security
Solana Token Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 6, 2026, 5:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose: it polls the public DexScreener API, stores per-token JSON configs, and optionally sends alerts via Telegram; nothing requested or implemented is disproportionate to that goal.
- Guidance
- This skill appears to do exactly what it says: poll DexScreener and optionally send Telegram alerts. Before installing, consider: (1) Telegram bot token and chat ID are stored in a JSON file under ~/.openclaw/workspace/data/token-monitors — protect filesystem permissions if you store secrets there; (2) the skill will make outbound HTTP requests to api.dexscreener.com and api.telegram.org during checks; if you want no autonomous network activity, don't enable heartbeat checks or don't configure Telegram; (3) you received the source here — review monitor.py if you want to double-check; (4) if you don't trust the anonymous author, avoid adding Telegram credentials or running the skill with high privileges. Overall, the skill is coherent and proportional to its stated purpose.
Review Dimensions
- Purpose & Capability
- okName and description (Solana token monitoring using DexScreener) match the code and instructions. Required binary is python3 and the code uses the DexScreener public API and optional Telegram Bot API as advertised — all expected for this functionality.
- Instruction Scope
- okRuntime instructions only run the included monitor.py (setup, check, report, list). The script reads/writes its own config files under ~/.openclaw/workspace/data/token-monitors, polls DexScreener, and optionally posts to Telegram. It does not instruct reading unrelated files, environment secrets, or posting to unexpected endpoints.
- Install Mechanism
- okNo install spec — the skill ships a Python script and the SKILL.md/INSTRUCTIONS.md explain how to run it. Nothing is downloaded at runtime beyond API calls to known HTTP endpoints. No archives or third-party installers are used.
- Credentials
- okNo required environment variables or external credentials are declared. Telegram bot token and chat ID are optional and only used if the user supplies them via setup; those are stored in the skill's own JSON config. The level and type of credential access is proportional to the described functionality.
- Persistence & Privilege
- okThe skill is not forced-always (always: false) and uses normal, self-contained persistence (per-symbol JSON files under the skill's data directory). It does not modify other skills or system settings. Autonomous invocation (agent can run checks during heartbeats) is expected for a monitoring skill.