Back to skill
Skillv3.3.18
ClawScan security
Openclaw Twitter Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 10:34 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only connector that uses a single API key to call a third‑party CT Monitor backend; its declared requirements and runtime instructions are consistent with the described crypto-monitoring purpose.
- Guidance
- This skill is an instruction-only connector that calls a third-party API (api.ctmon.xyz) using the CT_MONITOR_API_KEY you provide. Before installing: (1) Verify the API provider and trustworthiness (the SKILL.md includes a GitHub link but the registry metadata showed no homepage—confirm the provider and read their docs/privacy policy at https://api.ctmon.xyz/api/docs). (2) Only give it a key with the minimum permissions needed; do not reuse high‑privilege keys or keys that grant access to other services. (3) Avoid sending any secrets, private keys, or wallet seed phrases in prompts—everything you ask will be transmitted to the remote backend. (4) If you enable scheduled jobs/auto-delivery, be aware those runs will execute autonomously and may forward results to your configured channels (Telegram, etc.); ensure those channels are configured securely. (5) If you stop using the skill, revoke or rotate the CT_MONITOR_API_KEY. Overall, the skill is internally consistent with its stated purpose, but exercise standard caution trusting a third‑party backend with your query data.
Review Dimensions
- Purpose & Capability
- okName/description (crypto KOL/tweet/news/price monitoring) align with the declared requirements: it needs curl and jq to call an external API and a single CT_MONITOR_API_KEY. The endpoints in SKILL.md are all calls to the ctmon.xyz API (expected for this purpose).
- Instruction Scope
- noteSKILL.md instructs the agent to make many REST calls to https://api.ctmon.xyz/api using the CT_MONITOR_API_KEY and to synthesize results; it also suggests scheduling automated runs and delivering results to external channels (e.g., Telegram). The instructions do not ask the agent to read local files or other environment variables. Note: scheduling/auto-delivery will cause the agent to run autonomously on a cadence and send data to configured channels.
- Install Mechanism
- okNo install spec or bundled code—instruction-only. This is low-risk from an install perspective because nothing is downloaded or written to disk by the skill package itself.
- Credentials
- okOnly one environment variable is required (CT_MONITOR_API_KEY), which is proportional to a skill that delegates all work to a remote API. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- notealways:false and user-invocable:true (normal). However, SKILL.md encourages scheduling automated cron jobs and delivering to external channels; combined with an API key, scheduled autonomous runs will repeatedly send queries/results to the remote service and configured channels. This is expected behavior but worth awareness.