Skillv1.0.0

ClawScan security

Binance Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 12, 2026, 4:48 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The code largely matches a Binance + X monitor, but there are mismatches between the docs/config and the implementation (no Feishu send implementation, config.json is not actually read), which could mislead users and requires manual wiring; proceed with caution and test before trusting it to send notifications.
Guidance: What to consider before installing: - The monitors work: monitor.js polls Binance and x-monitor.js polls Jina.ai for X content and write local state and notify files. - BUT: the project does not actually send Feishu messages. sender.js emits NOTIFY:<JSON> to stdout for an external process to consume — there is no Feishu API call or token handling in the code. If you expect automatic Feishu delivery, you must provide or implement a delivery component which holds your Feishu credentials. - The SKILL.md and README tell you to edit config.json, but the runtime scripts use hard-coded CONFIG objects and do not read config.json. If you need different intervals/targets, update the code or add config-loading logic. - There are no requested environment variables; that means secret handling is left to you. Do not store secrets in the repo; prefer environment variables or secure storage. - Safe usage tips: run in an isolated directory or container, inspect and (if needed) modify the code to add proper config parsing and a secure Feishu sender that reads credentials from environment variables, test end-to-end in a controlled environment, and verify that the external delivery component handles retries and rate limits. - If you want this skill to automatically send messages via OpenClaw/OpenClaw agents, confirm how OpenClaw captures sender.js stdout and whether it provides secure credential injection. If uncertain, treat the skill as -> monitoring + local queue only until you wire a secure sender.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (monitor Binance announcements and X accounts and notify via Feishu) is mostly reflected in the code: monitor.js and x-monitor.js fetch public Binance and Jina.ai endpoints and queue notifications. However, the code does NOT implement sending to Feishu (no Feishu API calls or credential usage) and does not read the provided config.json — it uses hard-coded CONFIG objects. The presence of editable config.json and SKILL.md guidance implying an out-of-the-box Feishu integration is therefore misleading.
Instruction Scope: concernSKILL.md instructs users to edit config.json and expects Feishu notifications. In practice monitor.js and x-monitor.js use hard-coded configuration and only write local notify/state files. The sender process only prints NOTIFY:<JSON> to stdout for an external tool to pick up; there are no instructions in the code to send network requests to Feishu or to read environment secrets. This is scope confusion (monitoring is fine; sending relies on external wiring).
Install Mechanism: okNo install spec; the package is instruction + code only and requires Node >=18. No remote downloads or extract operations are present. Risk is low from installation perspective, but the code writes persistent state files in the working directory (expected).
Credentials: concernThe skill declares no required environment variables or credentials, yet its documented behavior (sending Feishu messages) would normally require Feishu credentials/tokens and/or an external 'message' tool. The absence of credential requirements is inconsistent with the claimed notification capability and could mislead users into thinking it will send messages automatically.
Persistence & Privilege: okThe skill is not force-included (always:false), doesn't request elevated system privileges, and only persists local state/queue files within its directory. It does not modify other skills or system-wide configs.