ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claude Code Changelog Monitor

Monitor Claude Code releases and get Telegram alerts when new versions ship. Zero AI credits — pure bash monitoring.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 182 · 0 current installs · 0 all-time installs
bySamantha@assistant-design
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the actual behavior: polling npm, downloading tarballs, diffing, and sending Telegram alerts. That functionality justifies the files and scripts present. However, the README/SKILL.md claim the setup will "auto-detect your Telegram bot token from OpenClaw config" and "ask for your Telegram chat ID" — the provided setup.sh does not prompt or write a config and monitor.sh contains hard-coded default TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID values. That discrepancy is unexpected and unjustified by the stated purpose.
!
Instruction Scope
SKILL.md/README say setup will ask for credentials and initialize safely, but setup.sh simply runs monitor.sh immediately. monitor.sh will POST messages to Telegram using embedded defaults unless you override env vars or edit the script. The script otherwise stays within its stated purpose (npm registry calls, tar extraction, writing a version file), but the automatic initial run + default credentials broaden its impact beyond what the docs promise.
Install Mechanism
There is no external install spec (instruction-only + bundled scripts), so nothing is downloaded from arbitrary servers at install time. The risk is limited to the included shell scripts being executed by setup.sh (not an automatic network-based install). The initial-run behavior in setup.sh means the bundled monitor executes immediately during setup.
!
Credentials
requires.env lists none, but monitor.sh embeds a default TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID. Embedding someone else's bot token/chat id is disproportionate: the skill will send notifications to that external bot/channel unless the user provides their own credentials or edits the script. Although the data sent is limited (version info, tarball URL, brief release notes), sending any data to a third-party bot without clear consent is a meaningful privacy/telemetry concern.
Persistence & Privilege
always is false and the skill does not request elevated privileges or modify other skills. It creates files under the user's home (~/.cc-changelog-*, ~/clawd/projects/cc-changelog) and instructs adding a cron job — expected for a local monitor. The initial run invoked by setup.sh is the notable behavior, but it does not escalate system privileges.
What to consider before installing
This skill is functionally coherent but has two important red flags: (1) monitor.sh contains hard-coded TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID defaults, and (2) setup.sh runs the monitor immediately instead of prompting you for credentials as the README claims. Before installing or running it: - Inspect and edit scripts: open scripts/monitor.sh and scripts/setup.sh. Remove or replace the default TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID values with empty defaults, or change the script so it refuses to send alerts unless you explicitly configure credentials in ~/.cc-changelog-config. - Provide your own bot and chat ID: create a Telegram bot via @BotFather and set TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID in ~/.cc-changelog-config (or export them in your environment) before running setup. Verify the bot token belongs to you (call the bot API getMe to confirm) so alerts go to a bot you control. - Avoid running setup.sh unmodified: because setup.sh runs monitor.sh immediately, run monitor.sh manually once after you've replaced credentials or tested offline. Alternatively, run setup.sh in a controlled environment with network disabled to observe file creation without sending messages. - Confirm the repository/source: README/package.json point to a GitHub repo. If you plan to use this long-term, fetch the code from that repo and verify its history and the author's identity. If the token in monitor.sh looks like someone else's demo token, remove it — leaving it in place will route your alerts to a third party. If you do not want any data leaving your machine, do not run setup.sh or monitor.sh until you remove or override the hard-coded token/chat id. If you want to proceed safely, replace the defaults with your own token/chat-id and test sending a message to verify ownership.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk973fxvgy6tfk31wnbe2dzpp5h82a3ee

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

cc-changelog-monitor

Monitors @anthropic-ai/claude-code on npm and sends Telegram alerts when a new version is detected, including a diff summary of what changed between versions.

Zero AI credits used during monitoring — pure bash + curl + jq.

Quick Start

1. Setup (one-time)

bash ~/clawd/skills/cc-changelog-monitor/scripts/setup.sh

This will:

  • Auto-detect your Telegram bot token from OpenClaw config
  • Ask for your Telegram chat ID (defaults to your personal ID)
  • Initialize the version tracker at the current Claude Code version
  • Make scripts executable

2. Manual run

bash ~/clawd/skills/cc-changelog-monitor/scripts/monitor.sh

Output when no new version:

✓ Claude Code is at v2.1.69 — no change.

Output when new version detected:

🔔 New version detected: v2.1.69 → v2.1.70
📦 Downloading @anthropic-ai/claude-code@2.1.70...
✅ Telegram alert sent!
✅ Saved v2.1.70 as current version.

3. Add to OpenClaw Cron

See cron-payload.md for the exact payload to set up automatic monitoring every 2 hours.

How It Works

  1. Polls npm registrycurl https://registry.npmjs.org/@anthropic-ai/claude-code/latest
  2. Compares with ~/.cc-changelog-version (stored version)
  3. If new version: downloads the tarball, extracts it, diffs against previous
  4. Sends Telegram alert with version info + diff summary
  5. Saves new version to disk

Config

Credentials stored in ~/.cc-changelog-config:

TELEGRAM_BOT_TOKEN="your-bot-token"
TELEGRAM_CHAT_ID="your-chat-id"

Files Created by Monitor

  • ~/.cc-changelog-version — tracks the last seen version
  • ~/.cc-changelog-config — Telegram credentials
  • ~/clawd/projects/cc-changelog/{version}/ — extracted npm packages for diffing

Force Test Alert

# Reset version to trigger an alert
echo "0.0.0" > ~/.cc-changelog-version
bash ~/clawd/skills/cc-changelog-monitor/scripts/monitor.sh

Skill Invocation (from OpenClaw chat)

You can ask OpenClaw to run the monitor manually:

"Check if there's a new Claude Code version"

OpenClaw will run monitor.sh and report the result.

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…