NOFX AI500 Report
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its crypto-reporting purpose, but it embeds a default NOFX API key and sets up recurring automated reports, so users should review credential handling before installing.
Before installing, require the publisher to remove the embedded NOFX key and declare the API key as an explicit secret. If you proceed, verify the cron schedules, Telegram target, and local state file location, and remove the jobs when you no longer want automated reports.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The scheduled monitor may access NOFX using an embedded credential instead of a credential you explicitly supplied, creating unclear account attribution and exposing that key in requests/job contexts.
The monitor silently falls back to an embedded auth key and sends it as the API credential if NOFX_KEY is not set. This conflicts with the documented setup flow that says the user should provide the API auth key.
KEY="${NOFX_KEY:-cm_568c67eae410d912c54c}"
RESPONSE=$(curl -s "${BASE}/api/ai500/list?auth=${KEY}")Remove the hardcoded key, declare the NOFX key as a required credential/env var, and store it through OpenClaw's secret mechanism rather than in source or cron text.
The agent can continue fetching market data and generating/sending reports on a schedule after setup.
The skill intentionally creates recurring autonomous jobs for monitoring and reporting. This persistence is disclosed and aligned with the purpose, but it continues operating until the user removes the jobs.
Then create two cron jobs using the OpenClaw cron tool: ### Job 1: New Coin Monitor (every 15 min) ... ### Job 2: Periodic Report (every 30 min)
Install only if you want ongoing monitoring, verify the exact schedules and delivery targets, and know how to list and remove the cron jobs.
If configured, the skill can run local commands and post alerts to the configured Telegram/chat destination.
The cron payload directs the agent to run a local shell script and then use a messaging tool. This is central to the monitoring use case, but it is still local command execution plus external message posting.
1. Execute `bash <skill-dir>/scripts/monitor.sh` ... a. Use message tool to send Telegram notification
Review the script before enabling it, confirm the chat ID/channel, and avoid granting broader messaging or shell permissions than needed.
Deleting or editing the known-coin file can change which alerts are sent; the file also records the monitored coin list locally.
The monitor keeps persistent local state to remember previously seen coins and compare future API responses. This is expected for new-coin alerts, but the stored file affects future behavior.
KNOWN_FILE="${NOFX_KNOWN_FILE:-$HOME/.openclaw/workspace/nofx-ai500-known.json}"Keep the state file in the intended OpenClaw workspace, protect it from unwanted edits, and reset/delete it if you want to reinitialize monitoring.