v1.0.0

Crypto Price Alert

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:59 AM.

Analysis

The skill is coherent for crypto price alerts, but users should notice that it may involve messaging credentials, portfolio details, and scheduled monitoring.

GuidanceBefore installing or using this skill, decide what portfolio details you are comfortable sharing, use dedicated notification credentials, verify all webhook or chat destinations, and make sure any scheduled alerts can be reviewed and disabled.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

"report_schedule": "0 9 * * *" ... Requirements: OpenClaw with cron enabled

Scheduled reports and cron support imply ongoing automated activity, although this is disclosed and aligned with an alerting skill.

User impactThe skill may continue sending scheduled alerts or reports until the user changes or disables the schedule.

RecommendationSet explicit schedules, destinations, and stop conditions; periodically review active alerts and remove any that are no longer needed.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

| Telegram | Provide bot token and chat ID | ... | Discord | Set up webhook URL | ... | Email | Configure SMTP settings | ... | Slack | Add webhook URL |

The skill may require bot tokens, webhooks, or SMTP settings that can send messages through the user's accounts or channels.

User impactIf configured, the agent or setup process may gain the ability to post alerts or send emails through the user's chosen services.

RecommendationUse dedicated low-privilege bots, webhooks, and email credentials; avoid sharing exchange trading or withdrawal keys, seed phrases, or unrelated account credentials.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

"portfolio": [ {"coin": "bitcoin", "amount": 0.5}, {"coin": "ethereum", "amount": 10} ]

Portfolio tracking requires recording crypto holdings, which can be sensitive financial information.

User impactThe skill may store or reuse information about the user's crypto holdings for reports and calculations.

RecommendationShare only the holdings needed for tracking, confirm where portfolio data is stored, and avoid including wallet addresses, private keys, or seed phrases.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

"channels": ["telegram", "email"] ... Multi-channel delivery: Telegram, Discord, Email, Slack

Alerts and reports may be sent through third-party messaging or email providers.

User impactPrice alerts, schedules, and possibly portfolio summaries could be delivered to external services selected by the user.

RecommendationChoose delivery channels carefully, verify destination IDs or webhook URLs, and avoid sending sensitive portfolio summaries to shared or public channels.