ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Whale Monitor

v1.0.3

Monitors large cryptocurrency wallet balances (whales) on-chain using Web3 RPC to detect potential market-moving activity. Can read from `references/wallets....

5· 2.9k·10 current·10 all-time
by@waleolapo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with implementation: the script reads wallet addresses (from references/wallets.md or CLI args), queries an Ethereum JSON-RPC endpoint for balances, and alerts above a threshold. The bundled fallback addresses are reasonable examples. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs running the provided Node script and reading references/wallets.md, which matches the script's behavior. The script only reads the included wallets file (or CLI args) and issues JSON-RPC POST requests to the configured RPC endpoint, then prints results to stdout. There is no evidence it reads other system files or transmits data to unexpected endpoints.
Install Mechanism
No install spec is provided (instruction-only plus a script), so nothing is downloaded or installed by the skill itself. This is lowest-risk for code installation. The only runtime dependency is Node to run the script.
Credentials
The skill requires no secrets. It accepts an optional RPC_URL environment variable (not mandatory) to override the default public endpoint (https://eth.llamarpc.com). The metadata declares no required env vars; this is acceptable since RPC_URL is optional, but users should be aware they can point it at any RPC (including private or malicious endpoints) which will receive the addresses being queried.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and is invoked by the user. It performs no persistent or privileged operations beyond reading its own references/wallets.md file.
Assessment
This skill is coherent with its stated purpose, but review these practical points before running: - Inspect the script (scripts/monitor.js) yourself — it only reads references/wallets.md or CLI args and posts JSON-RPC requests to the configured RPC_URL (default: https://eth.llamarpc.com). - RPC_URL is optional but can be set; avoid pointing it at unknown or untrusted endpoints if you care about exposing which addresses you query. - No credentials are requested; the tool only prints balances to stdout. If you schedule it (cron), consider where logs go (avoid sending outputs to public locations). - Ensure you run it with a recent Node version (Node 18+ provides global fetch) or run with a fetch polyfill. - For extra caution, run it in an isolated environment with restricted network egress if you want to limit outbound connections.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fhkhv19h9cvyrk3rt9hgvhn81acgx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments