Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Crypto Price Alert
v1.0.0Real-time cryptocurrency price alerts and monitoring. Track Bitcoin, Ethereum, and 100+ coins with custom price alerts delivered to your Telegram, Discord, o...
⭐ 0· 89·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The described purpose (real-time crypto alerts, portfolio tracking, technical indicators) matches the high-level instructions in SKILL.md and the listed data sources (CoinGecko, CoinMarketCap, Binance). However, the skill claims integrations that normally require credentials and network access (Telegram bot token, Discord webhook, SMTP, CoinMarketCap API key, Binance API), yet the registry metadata lists no required env vars or primary credential — this mismatch suggests either the SKILL.md is incomplete or the metadata is inaccurate.
Instruction Scope
SKILL.md gives high-level runtime instructions (set alerts, configure channels) and explicitly tells users to provide tokens, webhooks, and SMTP settings. It does not instruct the agent to read unrelated local files or system config. However, the instructions are vague about how credentials are stored/transmitted and give the agent broad discretion about delivery and scheduling, which is scope-broadening in the absence of code or storage guarantees.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — low installation risk. There are no downloads or extracted archives to evaluate.
Credentials
The SKILL.md references several sensitive credentials (Telegram bot token and chat ID, Discord webhook URL, SMTP credentials, Slack webhook, CoinMarketCap API key, Binance API) but the skill's registry metadata does not declare any required env vars or a primary credential. That lack of declared secrets is disproportionate to the claimed functionality and prevents the platform from gating or prompting for appropriate permissions.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges in the metadata. SKILL.md does not instruct modification of other skills or system-wide agent settings. No evidence of excessive privilege requests.
What to consider before installing
Exercise caution. The skill legitimately needs API keys and delivery credentials to work (Telegram bot token/chat ID, Discord/Slack webhook URLs, SMTP settings, CoinMarketCap/Binance keys), but the registry metadata lists none of these — that mismatch is the key issue. Before installing or providing credentials, ask the publisher for: (1) source code or a trustworthy homepage; (2) a clear list of required env vars and how/where credentials are stored (are they kept only in your agent config or transmitted to an external server?); (3) whether API keys must have withdrawal permissions (never provide exchange keys with withdrawal rights — use read-only/market-only keys); (4) privacy/data retention policy and how alerts are delivered; and (5) a way to revoke or rotate tokens if needed. If you proceed, prefer creating least-privilege tokens (bot tokens limited to messaging, webhooks scoped to a single channel), test with throwaway accounts/bot tokens, and avoid providing any private keys or exchange keys with withdrawal powers. Providing these details or seeing the code would reduce the uncertainty in this assessment.Like a lobster shell, security has layers — review code before you run it.
latestvk978wwxtdkte1hbawymmz41qqh83dyha
License
MIT-0
Free to use, modify, and redistribute. No attribution required.