Crypto Alert Agent
v1.0.0A proactive agent that monitors cryptocurrency prices, tracks your portfolio, and sends alerts via Telegram.
⭐ 0· 304·0 current·0 all-time
byNEO@vitja1988
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (monitor prices, track portfolio, send Telegram alerts) is reasonable, but the package contains no executable code or binaries to implement those features. The SKILL.md repeatedly references running {baseDir}/run.sh and reading/writing a credentials/telegram_chat_id file, yet no run.sh or other code files are provided and no required config paths or environment variables are declared. That discrepancy means the manifest does not match the claimed capability.
Instruction Scope
The runtime instructions tell the agent to run shell commands (bash {baseDir}/run.sh ...) and to write/read a file at {baseDir}/credentials/telegram_chat_id and expect an OpenClaw-stored Telegram bot token. Those are concrete I/O actions that are not declared elsewhere in the skill metadata. The instructions also recommend persistent automation (cron/agent loop) and automated removal of alerts, implying the agent will store and mutate alert state — but no location or storage format is specified in the package.
Install Mechanism
There is no install spec and the skill is instruction-only, which is lower installation risk in general. However, because the skill references a run.sh and other runtime artifacts that are not included, the lack of any install or code means the SKILL.md is effectively a stub/incomplete — the absence of installation steps is notable and unexplained.
Credentials
The SKILL.md requires a Telegram chat ID file and implicitly requires a Telegram bot token configured in the OpenClaw instance, but the skill's metadata declares no required environment variables or config paths. That mismatch hides the fact that the skill needs access to a messaging bot credential. CoinGecko usage is plausible without credentials. Overall, credential access is under-specified and could lead to misconfiguration or unexpected credential usage.
Persistence & Privilege
The skill does not request always:true and uses the platform defaults (agent can invoke autonomously). The documentation encourages running the agent on a schedule (cron), which is user-controlled. There is no evidence the skill requests system-wide privileges or modifies other skills, but the instructions imply persistent state (alerts/portfolio) that will be stored and mutated locally if/when the missing runtime components are provided.
What to consider before installing
Do not install or schedule this skill yet. The SKILL.md references a run.sh script and a credentials file but the package contains no code—ask the publisher for the missing runtime files (run.sh and any scripts it calls) and for exact details on where the Telegram bot token must be stored and how the agent will access it. Verify that: (1) the run.sh and any binaries are present and readable, (2) the skill declares any env vars or config paths it needs (e.g., TELEGRAM_BOT_TOKEN or a documented OpenClaw config location), (3) the code only sends messages to the Telegram chat ID you provide and does not exfiltrate other data or credentials, and (4) you review the run.sh contents before running or scheduling it. If the publisher cannot provide the missing files and a clear explanation for credential handling, treat the skill as incomplete and avoid running it.Like a lobster shell, security has layers — review code before you run it.
bitcoinvk97c0hpwzzg1a6n4hbdh31gg5181w7gdcryptovk97c0hpwzzg1a6n4hbdh31gg5181w7gdethereumvk97c0hpwzzg1a6n4hbdh31gg5181w7gdlatestvk97c0hpwzzg1a6n4hbdh31gg5181w7gdprice-alertsvk97c0hpwzzg1a6n4hbdh31gg5181w7gdtelegramvk97c0hpwzzg1a6n4hbdh31gg5181w7gdtrackingvk97c0hpwzzg1a6n4hbdh31gg5181w7gd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis