ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

signal-track

v0.0.3

Track persistent topics (stocks, companies, AI, and policy events) and monitor them continuously. Use this for recurring updates, trend monitoring, and struc...

1· 92·0 current·0 all-time
byLucasWU@lucas-acc

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lucas-acc/signal-track.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "signal-track" (lucas-acc/signal-track) from ClawHub.
Skill page: https://clawhub.ai/lucas-acc/signal-track
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install signal-track

ClawHub CLI

Package manager switcher

npx clawhub@latest install signal-track
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (topic tracking, continuous monitoring) align with the included CLI and src/cli.js. The code talks exclusively to the declared API base (https://younews.k.sohu.com/) and implements the CLI commands documented in SKILL.md. Minor metadata mismatch: the registry metadata claims no required config paths, but SKILL.md and the code both declare/read/write ~/.openclaw/openclaw.json and a legacy ~/.signal-track/config.json.
Instruction Scope
Runtime instructions and code only access home-directory config files (~/.openclaw/openclaw.json or ~/.signal-track/config.json), perform HTTP requests to the declared API, and print results. There is no instruction to read arbitrary system files, environment secrets, or forward data to unexpected endpoints. Note: SKILL.md explicitly states it will read/write the user's openclaw config, which is broader than many skills and worth user awareness.
Install Mechanism
No remote install downloads or extract steps; the package is instruction-only in the registry and contains a small Node.js CLI implementation. Installation described is local npm usage (npm install / npm install -g .) which is standard for Node CLIs included in the repo.
Credentials
The skill does not request unrelated environment variables or external credentials. It stores and uses a service API key (via login --api-key) and persists it into the user's config file. Storing the API key in plaintext JSON inside ~/.openclaw/openclaw.json or ~/.signal-track/config.json is expected for this CLI but is a sensitive action users should knowingly accept.
Persistence & Privilege
The skill does not request always:true and will not be force-added. It does modify a per-user config file in the home directory to persist login state; when present it writes to the openclaw config under skills.entries.signal-track or falls back to the legacy path. This is normal for a CLI that persists credentials, but it does alter a shared config file under ~/.openclaw which could be visible to other tools — users should be aware.
Assessment
This skill appears to do what it says: a Node.js CLI that talks to the YouNews API and persists an API key to a home-directory config file. Before installing, review and accept that: (1) you will provide an API key via `signal-track login --api-key <key>`; (2) the key will be stored in plaintext JSON at ~/.openclaw/openclaw.json (or legacy ~/.signal-track/config.json); and (3) the tool will create/modify those files. If you are concerned, inspect src/cli.js locally, run the CLI in a restricted environment first, or create a dedicated/limited YouNews API key rather than using a high-privilege account.
!
src/cli.js:84
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk975ch0bs2gnjjc2gf9jtm2er183k15q
92downloads
1stars
3versions
Updated 1mo ago
v0.0.3
MIT-0
LucasWU@lucas-acc
latest
Download

What it does

signal-track is an AI-native information tracking system and a CLI tool for continuous, topic-based intelligence monitoring. signal-track is not a traditional news reader and not a general recommendation feed. The system is built around long-running topics: users define persistent tracking tasks, and the platform continuously monitors information sources, detects meaningful updates, filters noise, and surfaces high-value signals. In other words, it converts one-time information queries into persistent tracking tasks.

  • Track ongoing topics (e.g. "OpenAI releases", "NVIDIA earnings", "China policy changes")
  • Aggregate updates from multiple information sources
  • Deduplicate and structure incoming information
  • Provide summarized updates and timelines
  • Support deep-dive analysis on specific events

When to use

Use signal-track when:

  • You need continuous monitoring of a topic over time
  • You want to avoid missing important updates
  • You are tracking fast-moving domains (AI, finance, policy, etc.)
  • You need structured, decision-relevant information instead of raw news

Do NOT use signal-track for:

  • General browsing or entertainment content
  • Pure one-off trivia or random browsing (unless the user explicitly asks for one-off news/article search or browsing)

Core concepts

  • Topic: A long-running information tracking task that can be expressed through a natural language description, structured keywords, and entity references.
  • NewsCard: The atomic information unit delivered to users(or agents).
    • Typical contents: title, overview, ELI5, sources, timestamp, and topic mapping.
  • Source: Any information producer the system monitors.
    • Examples: news websites, blogs, social media, research publications, official announcements, and company releases.
  • Feed: A stream of news cards associated with a topic or a user's followed topics, ordered recency.

Key capabilities

  • Create and manage topics
  • Subscribe/unsubscribe to topics
  • Retrieve topic details by id
  • Search within tracked signals
  • Fetch full article content
  • Trigger deep analysis on selected items

Example use cases

  • Track a company (e.g. Tesla, Apple) for investment decisions
  • Monitor AI model releases and benchmark progress
  • Follow policy or regulatory changes in a region
  • Track competitors or specific products
  • Provide simplified explanations of complex information (easy-to-understand summaries)

CLI surface covered

All existing signal-track CLI commands are supported through the helper script:

  • Command runner: signal-track <args>

Auth

  • signal-track login --api-key <api_key> validates the key using the backend endpoint and stores user context locally.

Topic commands

  • signal-track topic show --topic-id <topic_id> [--cursor <cursor>] [--page-size <page_size>]

Topics commands

  • signal-track topics my
  • signal-track topics list
  • signal-track topics follow --topic-id <topic_id>
  • signal-track topics unfollow --topic-id <topic_id>
  • signal-track topics search --scope my --query <keyword> [--page-size <page_size>] [--page-number <page_number>]
  • signal-track topics search --scope square --query <keyword> [--page-size <page_size>] [--page-number <page_number>]

News cards

  • signal-track news_cards feed my [--cursor <cursor>] [--page-size <page_size>]
  • signal-track news_cards feed --topic-id <topic_id> [--cursor <cursor>] [--page-size <page_size>]
  • signal-track news_cards get --news-id <news_id>
  • signal-track news_cards get <news_id> (positional alias)
  • signal-track news_cards search --query <keyword>

Articles

  • signal-track articles content --article-id <article_id>

Execution notes

  • Always keep commands in English.
  • Default environment:
    • Requires Node.js 22+.
  • API base URL defaults to https://younews.k.sohu.com/.
  • Required local config state:
    • Reads auth from ~/.openclaw/openclaw.json (preferred). If absent, falls back to legacy ~/.signal-track/config.json.
    • Writes login state to the detected existing config path (openclaw if present, otherwise legacy config path).
  • If --json is missing, output is human-readable JSON-style pretty print except for special card-get behavior where the first card is printed.

Installation and deployment

  • Prerequisite: Node.js 22+ (node -v).
  • Install from local source:
    • npm install
  • npm install -g .
    • signal-track --help
    • signal-track <command>

Error handling

  • If not logged in, commands return a clear message prompting signal-track login --api-key <api_key>.
  • Missing required flags (for example, --topic-id, --news-id, --article-id, --query, or --scope) are reported and command help is printed.
  • Invalid pagination values (negative/zero/non-integer) return validation errors before any network call.

Platform notes

signal-track is powered by YouNews as its underlying engine and can be considered the CLI version of YouNews; it is available exclusively to YouNews members — see younews.cn for more information.

Comments

Loading comments...