ClawHub

Crypto Funding Monitor

实时监测加密货币项目融资和TEG信息,支持Telegram、Discord、Email多渠道推送及定时简报。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 155 · 0 current installs · 0 all-time installs
by@zhdryanchang
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code implements monitoring, scraping (RootData, Twitter/X) and multi-channel notifications (Telegram, Discord, Email) and integrates SkillPay for per-call billing — all of which align with the stated purpose. However the registry metadata claims no required environment variables while the SKILL.md, code, and docs require a SKILLPAY_API_KEY and several optional service credentials; this metadata mismatch is incoherent.
Instruction Scope
SKILL.md and the code only instruct the agent to scrape the stated sources and send notifications to the declared channels; the runtime instructions do not request unrelated system files or arbitrary data. They do, however, direct data to multiple external services (SkillPay, RootData, Twitter, Discord, Telegram, SMTP) which is expected for the feature set but important to note.
Install Mechanism
There is no custom install script that downloads arbitrary code; dependencies are normal npm packages listed in package.json/package-lock.json. quickstart.sh runs npm install and starts the server. No suspicious third-party download URLs or extract-from-URL steps were found.
!
Credentials
Requiring service credentials (Telegram bot token, Discord webhook, SMTP creds, Twitter bearer token, RootData API key, and a SkillPay API key) is proportionate to the declared features — except that the repository/documentation include a concrete SKILLPAY_API_KEY value and skill.json contains an apiKey field. Shipping a real API key inside the package or docs is unnecessary and dangerous (allows the publisher to receive payments or verify/track calls). Also registry metadata listing zero required env vars contradicts the obvious runtime requirements.
Persistence & Privilege
The skill does not request platform-level privileges or set always: true. However, embedding a SkillPay API key in the package/documentation effectively grants the publisher an ongoing credential (persistence of secret) that could be used externally. That increases blast radius: the skill will make scheduled network calls and could log usage to the remote payment endpoint.
Scan Findings in Context
[hardcoded_skillpay_api_key_in_quickstart_or_docs] unexpected: QUICKSTART.md and README.md contain a concrete SKILLPAY_API_KEY value (sk_e390b52c...). Including a live API key in docs is not required for the skill to work with a user's own key and is a serious secrecy/privacy issue.
[skilljson_contains_apiKey_field] unexpected: skill.json contains an "apiKey" field with the same SkillPay API key. Distributing a secret inside skill.json is not expected and allows whoever controls that key to interact with SkillPay on behalf of installations.
What to consider before installing
This package mostly does what it says, but it ships with a SkillPay API key embedded in skill.json and in the docs. That is a red flag: do NOT run this skill in production or expose it to real users until you address the credential issue. Actions to consider before installing/running: 1) Remove any hard-coded API keys from the repository (skill.json, QUICKSTART.md, README.md) and replace them with placeholder values. 2) Use your own SkillPay API key (never the one in the package). Rotate/revoke the embedded key with SkillPay if possible. 3) Audit network endpoints the skill calls (SkillPay, RootData, Twitter, any webhooks) and ensure you trust those services. 4) Run the skill in an isolated test environment (not on machines hosting sensitive data) and review logs/traffic to confirm no unexpected exfiltration. 5) If you plan to publish this skill, update registry metadata to declare required env vars, and remove secrets from all files. If you are unsure who owns the included SkillPay key, treat it as untrusted and replace it before use.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk974eq9mygs6xb83fcng5tkvpd82ceky

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Crypto Funding Monitor

实时监测加密货币项目融资和TEG信息的智能skill,支持多平台推送。

功能特性

  • 🔍 多平台监测: RootData、X (Twitter) 等平台
  • 📊 融资信息: 最新融资轮次、金额、投资方
  • 🚀 TEG项目: Token Generation Event 项目追踪
  • 📱 多渠道推送: Telegram、Discord、Email
  • 💰 付费调用: 通过 SkillPay.me 集成,每次调用 0.001 USDT
  • 定时推送: 每日定时简报

使用方法

API 端点

POST /monitor

触发一次监测并推送简报

请求参数:

{
  "userId": "user123",
  "transactionId": "tx456",
  "channels": {
    "telegram": { "chatId": "123456789" },
    "discord": true,
    "email": { "to": "user@example.com" }
  }
}

POST /subscribe

订阅定时推送服务

请求参数:

{
  "userId": "user123",
  "channels": {
    "telegram": { "chatId": "123456789" },
    "email": { "to": "user@example.com" }
  },
  "schedule": ["0 9 * * *", "0 18 * * *"]
}

POST /unsubscribe

取消订阅

请求参数:

{
  "userId": "user123"
}

配置

需要配置以下环境变量:

  • SKILLPAY_API_KEY: SkillPay API密钥(必需)
  • TELEGRAM_BOT_TOKEN: Telegram Bot令牌(可选)
  • DISCORD_WEBHOOK_URL: Discord Webhook URL(可选)
  • EMAIL_USER/EMAIL_PASS: SMTP邮箱配置(可选)
  • TWITTER_BEARER_TOKEN: Twitter API令牌(可选)

定价

  • 每次调用: 0.001 USDT
  • 通过 SkillPay.me 自动结算

数据源

  • RootData: 加密项目融资数据库
  • Twitter/X: 实时融资动态
  • 支持扩展更多数据源

推送渠道

  • Telegram: Bot推送到个人或群组
  • Discord: Webhook推送到频道
  • Email: SMTP邮件推送

定时任务

默认推送时间:

  • 早上 9:00
  • 晚上 18:00

可通过环境变量自定义。

技术栈

  • Node.js + Express
  • SkillPay.me 支付集成
  • RootData + Twitter 数据源
  • Telegram + Discord + Email 推送
  • node-cron 定时任务

许可证

MIT

Files

22 total
Select a file
Select a file to preview.

Comments

Loading comments…