valuescan-monitor-skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its ValueScan monitoring purpose, but it needs review because streamed token data can influence local file paths while the skill stores API secrets and runs background processes.
Review before installing. If you proceed, use a dedicated output directory and restricted user account, lock down ~/.vs-monitor/config.json permissions, and ask the maintainer to sanitize token symbols so streamed data cannot affect paths outside the intended output folder.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Unexpected or malformed stream data could append output outside the intended token-signal folder, causing unwanted local file changes.
The recommended Python monitor derives the output filename directly from streamed signal JSON without sanitizing path separators, absolute paths, or '..' components.
if event.event == "signal": write_signal(event.data, output_dir) ... symbol = inner.get("symbol", "UNKNOWN") ... file_path = dir_path / f"{symbol}.txt"Sanitize token symbols to a strict allowlist, reject path separators and absolute paths, and verify the resolved file path remains inside the chosen outputDir before writing.
Anyone or any process that can read this config file may obtain the ValueScan API secret.
The skill requires ValueScan API credentials and explicitly stores them in a plaintext local config file.
API Key 和 Secret Key 将以明文存储在 `~/.vs-monitor/config.json`
Use a dedicated API key, restrict file permissions such as chmod 700 ~/.vs-monitor and chmod 600 config.json, and rotate the key if the file may have been exposed.
The monitor may continue connecting to ValueScan and writing files after the initial chat interaction until stopped or the connection exits.
The skill is designed to launch long-running background monitor processes and track them with PID files.
后台常驻监控 ... nohup python /path/to/vs-monitor-skill/script/monitor.py --market ... & echo $! > ~/.vs-monitor/market.pid
Start it only when intended, use the documented stop/status commands, and periodically check ~/.vs-monitor logs and PID files.
A future dependency version could differ from what was reviewed here.
The TypeScript setup uses floating semver ranges, and the SKILL.md also documents manual package installation.
"dependencies": { "eventsource": "^2.0.2" }, "devDependencies": { "ts-node": "^10.9.2", "typescript": "^5.0.0" }Prefer pinned versions and a lockfile, or use the reviewed Python path with explicitly pinned packages.