valuescan-monitor-skill

v1.0.2

ValueScan后台实时监控Skill。订阅Stream推送（大盘分析/代币信号），将数据持久化写入本地文件，可选飞书机器人通知。

⭐ 0· 66·0 current·0 all-time

byValueScan-ai@valuescan-io

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for valuescan-io/valuescan-moni.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "valuescan-monitor-skill" (valuescan-io/valuescan-moni) from ClawHub.
Skill page: https://clawhub.ai/valuescan-io/valuescan-moni
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install valuescan-moni

ClawHub CLI

Package manager switcher

npx clawhub@latest install valuescan-moni

Security Scan

Capability signals

CryptoRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name/description, SKILL.md, and the included scripts consistently implement a realtime SSE monitor for ValueScan that writes events to disk and optionally posts to a Feishu webhook — that capability is coherent with the stated purpose. However, registry metadata (no required env vars, 'instruction-only' claim) contradicts SKILL.md which declares required API Key/Secret and dependency runtimes; the package claims to be instruction-only but includes runnable code (Python/TS/JS). These packaging inconsistencies should be resolved.

ℹ

Instruction Scope

Runtime instructions are narrowly scoped to: collect APIKey/Secret, create ~/.vs-monitor/config.json, start/stop background monitor processes (PID files), write event data to user-specified outputDir, and optionally POST to a configured Feishu webhook. This matches the skill purpose. Two points to note: (1) the agent is instructed to start/kill processes and write files under the user's home — this requires shell access and can affect local processes if PID files are tampered with; (2) credentials are explicitly written to disk in plaintext per SKILL.md.

ℹ

Install Mechanism

There is no automated install spec (no archive download or package installation), which reduces supply-chain risk, but the SKILL.md and scripts require Python and Node dependencies (pip packages and npm deps) to be installed manually. The presence of multiple language implementations (py/ts/js) is benign but worth noting — the skill ships runnable code even though registry metadata suggested instruction-only.

Credentials

Requesting an API Key and Secret is appropriate for subscribing to ValueScan streams. However: (1) SKILL.md/ scripts will store those credentials in plaintext at ~/.vs-monitor/config.json (explicitly noted) — this is a material risk and increases credential exposure; (2) registry metadata did not declare required credentials, an inventory mismatch that could lead to unexpected disclosure; (3) writing to arbitrary outputDir and allowing a webhook URL lets data leave the host if a webhook is configured or maliciously changed.

✓

Persistence & Privilege

Skill does not request always:true or system-wide privileges. It manages its own files under ~/.vs-monitor and writes PID files for the monitor processes. The skill can be invoked autonomously (platform default), which combined with stored credentials would increase blast radius — exercise usual caution, but this is not an unusual privilege level for a monitoring skill.

What to consider before installing

Before installing, verify the skill source and consider the following: (1) packaging mismatch — the registry claims no credentials but SKILL.md and scripts require API Key + Secret; confirm this is expected. (2) Credentials will be stored in plaintext at ~/.vs-monitor/config.json — avoid using high-privilege or long-lived keys, and restrict file permissions (chmod 600) or run the monitor in a container/VM. (3) The skill starts/kills background processes based on PID files — do not run as root and ensure PID files point to the intended processes. (4) Only configure the optional Feishu webhook if you trust the destination (it will receive message contents). (5) Inspect the provided scripts yourself (they are included) and consider running them in an isolated environment. If these issues are acceptable and provenance is verified, the code appears to implement the described monitoring behavior; otherwise do not install.

script/monitor.ts:184

File read combined with network send (possible exfiltration).

About static analysis

These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk970dvsr04g0ge8rd2y0atnhex84vsrm

66downloads

0stars

1versions

Updated 1w ago

v1.0.2

MIT-0

valuescan-monitor-skill

后台常驻监控 ValueScan Stream 推送，将大盘分析和代币信号实时写入本地文件，并可选发送飞书机器人通知。

首次安装

当用户首次使用监控相关指令时，若 ~/.vs-monitor/config.json 不存在，Claude 按以下步骤引导安装：

询问 API Key（ValueScan 开放平台获取）
询问 Secret Key
询问数据输出目录（如 /Users/xxx/valuescan-monitor）
询问飞书 webhook URL（直接回车跳过，可后续补充）
将以上内容写入 ~/.vs-monitor/config.json：

{
  "apiKey": "...",
  "secretKey": "...",
  "outputDir": "/path/to/output",
  "feishuWebhook": "",
  "streamBaseUrl": "https://stream.valuescan.ai",
  "apiBaseUrl": "https://api.valuescan.io"
}

触发语与 Claude 动作

用户说	Claude 动作
监控大盘分析 / 开始大盘监控	检查 `market.pid`，kill 旧进程后启动 `python monitor.py --market`，写 `~/.vs-monitor/market.pid`
监控所有代币信号	检查 `signal.pid`，kill 旧进程后启动 `python monitor.py --signal`，写 `signal.pid`
监控 BTC 信号	启动 `python monitor.py --signal --tokens=BTC`，写 `signal.pid`
监控 ETH 和 SOL 信号	启动 `python monitor.py --signal --tokens=ETH,SOL`，写 `signal.pid`
同时监控大盘和所有代币信号	启动两个独立进程，分别写 `market.pid` 和 `signal.pid`
停止大盘监控	读取 `market.pid`，kill 对应进程，删除 PID 文件
停止信号监控 / 停止代币监控	读取 `signal.pid`，kill 对应进程，删除 PID 文件
停止所有监控	kill 两个 PID，删除对应 PID 文件
查看监控状态 / 监控运行中吗	检查两个 PID 文件是否存在且进程存活，报告状态

进程管理

PID 文件目录：~/.vs-monitor/

模式	PID 文件
大盘分析	`~/.vs-monitor/market.pid`
代币信号	`~/.vs-monitor/signal.pid`

启动前检查：

# 检查进程是否存活
PID=$(cat ~/.vs-monitor/market.pid 2>/dev/null)
if [ -n "$PID" ] && kill -0 "$PID" 2>/dev/null; then
    kill "$PID"
fi

后台启动：

nohup python /path/to/vs-monitor-skill/script/monitor.py --market \
    --config=~/.vs-monitor/config.json > ~/.vs-monitor/market.log 2>&1 &
echo $! > ~/.vs-monitor/market.pid

文件写入规则

来源	路径	格式
大盘分析（market event）	`{outputDir}/大盘分析/大盘分析-YYYY-MM-DD.txt`	`[HH:MM:SS]\n{content}\n---\n`
代币信号（signal event）	`{outputDir}/代币信号/YYYY-MM-DD/{symbol}.txt`	`[HH:MM:SS] [{type}]\n{content}\n---\n`

symbol 从 signal content JSON 的 symbol 字段取
type：OPPORTUNITY / RISK / ANOMALY
heartbeat / connected 事件忽略，不写文件
目录不存在时自动创建

飞书通知格式

配置了 feishuWebhook 时，写文件同时 POST 飞书机器人：

大盘分析：

【ValueScan 大盘分析】
{content 前 300 字}

代币信号：

【ValueScan 信号】{symbol} · {type中文}
{content 前 300 字}

type 中文：OPPORTUNITY=机会信号、RISK=风险信号、ANOMALY=资金异动

脚本使用

Python（推荐）

pip install sseclient-py requests
python monitor.py --market
python monitor.py --signal --tokens=BTC,ETH

TypeScript

cd script && npm install
npx ts-node monitor.ts --market
npx ts-node monitor.ts --signal --tokens=BTC,ETH

认证签名

Stream SSE 使用 query params 认证：

timestamp = 当前毫秒时间戳
nonce     = 随机 UUID
sign      = HMAC-SHA256(key=secretKey, message=timestamp + nonce)

参数拼接到 SSE URL：?apiKey=...&timestamp=...&nonce=...&sign=...

安全注意事项

凭证存储：API Key 和 Secret Key 将以明文存储在 ~/.vs-monitor/config.json，请确保该目录权限受控
进程管理：技能会创建后台进程并通过 PID 文件管理（kill 旧进程），PID 文件位于 ~/.vs-monitor/
文件写入：所有数据写入用户指定的 outputDir，请确保目录路径安全
隔离环境：建议在容器、VM 或权限受限的账户中运行，以限制影响范围

已知限制

断线后进程退出，需 Claude 手动重启（不含自动重连）
同类型只允许一个进程（signal 或 market 各一个）

Comments

Loading comments...