ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Threshold Watcher

v1.0.0

Monitor any crypto token against configurable price/volume thresholds. Fires alerts when entry conditions are met. Use when you need proactive notification t...

0· 99·1 current·1 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The described purpose (monitor tokens, fire alerts) is reasonable, but the SKILL.md expects a node script at ~/.openclaw/workspace/scripts/trading/threshold-watcher.js and a watchlist file at ~/.openclaw/workspace/trading/watchlist.json that are not included or declared. The skill does not declare 'node' as a required binary even though its usage is central.
!
Instruction Scope
Runtime instructions tell the agent to run local node scripts, read/write files under ~/.openclaw, add cron entries, and deliver alerts to Telegram. These actions access user filesystem and external networks and require credentials/configuration not described in the SKILL.md, giving the agent broad scope without clear limits.
Install Mechanism
There is no install spec (instruction-only), which minimizes what the skill writes to disk. However, being instruction-only here also means it assumes existing local scripts and config are present — a dependency mismatch rather than an installation risk.
!
Credentials
No environment variables or credentials are declared, yet the SKILL.md promises automatic Telegram DM delivery (which requires a bot token/chat ID) and uses APIs that may need rate/credential handling. The absence of declared env vars (e.g., TELEGRAM_TOKEN) and the undeclared need for 'node' are disproportionate to what is documented.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. Still, it instructs adding a cron task and automatic alerting to Telegram — persistent behavior but initiated by user configuration rather than an 'always' flag.
Scan Findings in Context
[no-findings] expected: Regex scanner found nothing. This is expected because the skill is instruction-only and contains no code files for static analysis; the security signal must come from inspecting SKILL.md content instead.
What to consider before installing
Do not install or enable this skill until you confirm the missing pieces. Specifically: (1) Verify whether the referenced script (~/.openclaw/workspace/scripts/trading/threshold-watcher.js) and watchlist file exist and review their source code — the skill provides no code. (2) Confirm you have 'node' installed and on PATH (the SKILL.md assumes node but doesn't declare it). (3) Ask where Telegram delivery is configured; automatic DM delivery requires a bot token and chat ID (sensitive secrets) but none are declared. (4) If you plan to add the cron entry, review the script's behavior and ensure it does only the expected API calls and writes only to intended files. (5) Prefer a version of this skill that includes its implementation or clear installation instructions and declares required binaries/env vars; if the author provides the missing code and explicit credential requirements, the assessment can be revised to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk978hh7226n1htfaarx8zh7czd8321vh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments