Binance Monitor
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does what it claims, but it hardcodes a Feishu recipient so alerts could be routed to an unintended account.
Before installing or running, verify and change the Feishu recipient in the source or require a real config-loading implementation. Treat it as a long-running monitor that will repeatedly contact Binance and Jina AI until stopped.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a downstream Feishu sender processes these notifications, messages may be sent to this fixed OpenID rather than to the installer or intended recipient.
The Feishu notification target is hardcoded in the source and used directly for queued notifications; the provided monitor source does not load config.json to replace it.
targetUser: 'ou_c1bac9d5fa30ac354a3705a9c87993dd', ... target: `user:${CONFIG.targetUser}`Remove hardcoded recipient IDs, load the target from user-controlled configuration, show the resolved recipient at startup, and require explicit user confirmation before sending.
A user may believe alerts will go to them while the implementation is prepared to route them elsewhere.
The documentation implies the default target is the current user, but the supplied scripts hardcode a specific OpenID, creating a misleading expectation about who receives alerts.
| `targetUser` | 当前用户 | 通知接收者 open_id |
Update the documentation to match the implementation, or preferably implement the documented behavior by deriving or requiring the current user's Feishu OpenID.
Once started, it will continue making periodic network requests and writing state files until stopped.
The skill is explicitly designed to keep running in the background without human intervention; this is expected for a monitor but creates ongoing activity.
后台持续监控,无需人工干预
Run it only when continuous monitoring is desired, and use the documented stop commands or avoid systemd/nohup unless persistent operation is intended.
Users have less external provenance information to verify where the skill came from or whether the registry metadata fully describes its runtime needs.
The skill includes runnable scripts, but registry provenance and install metadata are limited. The supplied code is reviewable and has no package dependencies, so this is a provenance note rather than a standalone concern.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the included files before running, prefer a verified source/homepage, and have the publisher update metadata to declare Node.js and runtime behavior.