v1.0.0

Crypto Price Monitor

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:31 AM.

Analysis

The skill appears to do what it advertises—check crypto prices and optionally send alerts—with only expected external API, Telegram token, and scheduling considerations.

GuidanceThis skill looks appropriate for crypto price alerts. Before installing, inspect the script, be aware it calls CoinGecko and optionally Telegram, protect any Telegram bot token you configure, avoid putting sensitive information in alert messages, and only add the cron schedule if you want it to keep running.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

*/15 * * * * cd /path/to/skill && python3 crypto_alert.py >> /tmp/crypto_alerts.log 2>&1

The documentation shows how to run the script periodically with cron. This is expected for a monitoring tool, but it creates recurring background execution if the user installs it.

User impactA cron job would keep making price-check requests and potentially sending alerts until removed.

RecommendationOnly add the cron entry if continuous monitoring is desired, choose a reasonable interval, and remove the cron job when alerts are no longer needed.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The artifacts do not include a homepage or known source link. There is no automatic installer, but provenance is limited.

User impactUsers have less external provenance information to rely on and should base trust on the provided files.

RecommendationReview the included Python file before running it, and install any needed Python dependencies from trusted package sources.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

"telegram_bot_token": "YOUR_BOT_TOKEN", "telegram_chat_id": "YOUR_CHAT_ID"

The skill supports an optional Telegram bot token and chat ID for alert delivery. This is aligned with the stated purpose, but the token is a credential that should be protected.

User impactIf Telegram alerts are enabled, the configured bot token can be used to send messages through that bot.

RecommendationUse a dedicated Telegram bot, keep the config file private, avoid committing the token, and rotate the token if it is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

crypto_alert.py

url = f"https://api.telegram.org/bot{bot_token}/sendMessage" ... requests.post(url, json=payload, timeout=10)

When Telegram is configured, alert summaries are sent to Telegram's API. This external data flow is disclosed and purpose-aligned, but users should understand what alert text is being sent.

User impactAlert messages, coin names, prices, and 24-hour changes may be sent to a Telegram chat.

RecommendationDo not put sensitive personal or trading information in alert messages unless you are comfortable sending it to Telegram.