Mrc Monitor
v1.0.0Real-time token monitoring for MRC canteen order system. Monitors Firebase Firestore for token status and notifies when orders are ready. Use when user sends commands like "mrc 73", "token 97", or "monitor 42" to monitor one or multiple canteen tokens. Handles multiple tokens simultaneously, sends independent notifications per token, and auto-exits when all tokens are ready.
⭐ 1· 1.8k·1 current·2 all-time
by@wysh3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code implements real-time polling of the stated Firebase project/collection and sends notifications to chat channels — this matches the description. However the skill embeds a Firebase API key and calls an external 'openclaw' CLI for notifications while the manifest declares no required credentials or external binaries. The presence of a hard-coded API key and an undeclared CLI dependency is a transparency mismatch.
Instruction Scope
SKILL.md instructs the agent to spawn the provided monitor.py as a background process and to use subprocess to do so — which is exactly what the code expects. The instructions do not ask the agent to read unrelated files or secrets. They do, however, assume the presence of the openclaw CLI and a Python runtime with 'requests' installed (neither of which are declared in the manifest).
Install Mechanism
There is no install spec (instruction-only plus a bundled script). That is low risk from an installer perspective because nothing is automatically downloaded, but it means runtime dependencies must be present in the agent environment.
Credentials
The script contains a hard-coded FIREBASE_API_KEY and project identifier. The manifest declares no required env vars or credentials, which is inconsistent: monitoring Firebase legitimately requires an API key, but embedding a key in code is poor practice and surprising to users. The script also writes logs to skills/mrc-monitor/logs and makes network requests to Firestore (reads the entire 'orders' collection). These actions are within the stated purpose but are sensitive (exposes order data) and should be spelled out and controlled via configuration.
Persistence & Privilege
The skill is not always-included and does not request elevated platform privileges. It spawns a background process (subprocess.Popen) which will run with the agent's user permissions — expected for a monitoring tool. Autonomous invocation is allowed (platform default), which increases runtime visibility but is not, by itself, a contradiction.
What to consider before installing
This skill appears to do what it says, but there are transparency and configuration issues you should address before installing:
- The script contains a hard-coded Firebase API key and project ID. Confirm you trust embedding that key (and verify its exact permissions). Prefer moving the key to an environment variable or secret store and update SKILL.md/manifest to declare it.
- The code calls an external 'openclaw' CLI to send messages and uses the 'requests' Python package; the manifest declares no required binaries or dependencies. Ensure the runtime has python3, the requests library, and the openclaw CLI available, or update the manifest to declare these requirements.
- The monitor writes logs to skills/mrc-monitor/logs. Confirm log storage and retention policies and that logs don't leak sensitive order/student info.
- The script fetches the entire orders collection on every poll. Verify this is acceptable from a privacy standpoint and that the Firebase project is the correct one.
- Because the agent will spawn a background process, understand that process runs with the agent's permissions and will continue until tokens are ready or it times out; plan for cleanup and resource usage.
If you cannot verify the API key and the presence/behavior of the openclaw CLI, treat this skill as untrusted. At minimum, require the key be moved out of source and the external CLI/dependencies be declared before use.Like a lobster shell, security has layers — review code before you run it.
latestvk976cf1qr9h2a3hkt5ebszywhs80fx3r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.