ClawHub

Telegram Alerts

v1.0.1

Send formatted trading alerts, portfolio updates, and market signals via Telegram. Supports price alerts, stop-loss notifications, win/loss reporting, and sc...

0· 1.2k·9 current·9 all-time
by@jamierossouw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name and description claim Telegram trading alerts, which justifies needing a Telegram bot token and chat id. However, the registry metadata declares no required environment variables or primary credential while SKILL.md explicitly says TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID are required — the manifest and runtime instructions are inconsistent.
Instruction Scope
SKILL.md is instruction-only and only describes sending formatted alerts to Telegram and requiring two .env values. It does not instruct reading unrelated files or contacting other external endpoints, but the instructions are terse/vague (no explicit runtime commands) and rely on an out-of-band .env file for secrets.
Install Mechanism
No install spec and no code files — lowest-risk delivery model. Nothing will be downloaded or written by an installer according to the registry.
!
Credentials
The environment variables referenced in SKILL.md (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID) are proportionate to sending Telegram messages. The concern is that the registry metadata does not declare these required credentials, so an automated permission review or user expecting a manifest-driven check could miss that secrets are needed or used.
Persistence & Privilege
always:false and no install behavior — the skill does not request permanent/system-level presence. disable-model-invocation is false (agent may call it autonomously), which is normal for skills; combine this with the metadata mismatch when deciding risk tolerance.
What to consider before installing
This skill appears to do what it says (send Telegram trading alerts) and legitimately needs a TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID, but the registry metadata does not list those environment variables — that discrepancy is the main red flag. Before using: 1) Ask the publisher to update the manifest to declare required env vars explicitly so reviewers and automated checks see them. 2) Use a dedicated Telegram bot token (do not reuse other tokens), and only give it the minimum permissions; consider creating a bot account just for alerts. 3) Store the token in a secure secret manager rather than plaintext .env if possible. 4) Be aware the agent can send messages autonomously (disable-model-invocation is false); ensure you trust the agent's triggers and the content it may send. 5) If you need stronger assurance, request the author provide explicit runtime commands or a minimal code sample so reviewers can confirm no other data is accessed or transmitted.

Like a lobster shell, security has layers — review code before you run it.

alertsvk974sd4emncz15v6am6dqmwa6n81k618cryptovk974sd4emncz15v6am6dqmwa6n81k618latestvk97c34es88mtmvsxye5ba2szvn81k5mxnotificationsvk974sd4emncz15v6am6dqmwa6n81k618telegramvk974sd4emncz15v6am6dqmwa6n81k618tradingvk974sd4emncz15v6am6dqmwa6n81k618

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments