news-watcher Security Report — Low Risk | ClawSafe

10 /100

news-watcher

Cryptocurrency news watcher using Playwright - monitors CoinDesk/PANews and sends Telegram notifications via OpenClaw AI Agent

A legitimate cryptocurrency news watcher skill that uses Playwright to monitor news sites and sends Telegram notifications via OpenClaw CLI, with no malicious behavior detected.

Skill Namenews-watcher

Duration37.1s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns require action.

Findings 2 items

Severity	Finding	Location
Low	Suspicious unpinned dependency Supply Chain package.json declares 'crypto: ^1.0.1' which is not a legitimate npm package (Node.js has built-in crypto). However, the code imports from Node's built-in 'crypto' module, so this is a placeholder with no runtime impact. `"crypto": "^1.0.1"` → Remove the 'crypto' entry from dependencies - the built-in Node.js module is used automatically.	`package.json:11`
Low	Minor documentation imprecision Doc Mismatch SKILL.md describes filesystem as READ but code writes to ~/.openclaw/cache/. However, this is scoped write access to a dedicated cache directory which is reasonable for the feature. `Cache writes to ~/.openclaw/cache/news-hash.json` → Minor - no action required, behavior is reasonable.	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	fs.writeFileSync for cache save (line 61) - scoped to ~/.openclaw/cache/
Network	`READ`	`READ`	✓ Aligned	Playwright page.goto for news sites + OpenClaw CLI network calls
Shell	`WRITE`	`WRITE`	✓ Aligned	execFileSync('node', [OPENCLAW_MJS, ...]) at line 13 - only calls OpenClaw CLI
Browser	`READ`	`READ`	✓ Aligned	Playwright chromium.launch() for news site scraping
Environment	`NONE`	`READ`	✓ Aligned	Reads OPENCLAW_MJS, TELEGRAM_USER_ID, CHROME_PATH - all documented, no credentia…

2 findings

🔗

Medium External URL 外部 URL

https://www.coindesk.com/zh

scripts/watch-news.js:35

🔗

Medium External URL 外部 URL

https://www.panewslab.com/zh

scripts/watch-news.js:41

File Tree

6 files · 34.8 KB · 1123 lines

JavaScript 1f · 373L Text 1f · 373L Markdown 2f · 299L JSON 2f · 78L

├─ ▾ 📁 scripts

│ └─ 📜 watch-news.js JavaScript 373L · 12.4 KB

├─ 📋 package.json JSON 20L · 529 B

├─ 📝 README.md Markdown 141L · 3.1 KB

├─ 📋 skill.json JSON 58L · 2.0 KB

├─ 📝 SKILL.md Markdown 158L · 4.3 KB

└─ 📄 watch-news.txt Text 373L · 12.4 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`playwright`	`^1.40.0`	npm	No	Version range with caret - minor version flexibility
`crypto`	`^1.0.1`	npm	No	This is a placeholder/typosquat package - Node.js built-in crypto is used instead

Security Positives

✓ Fully open-source with GitHub link provided for verification

✓ No base64 encoding, obfuscation, or hidden functionality

✓ No credential harvesting - only reads documented config env vars

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No data exfiltration or C2 communication patterns

✓ Shell execution is limited to OpenClaw CLI (documented and necessary)

✓ Cache writes are scoped to a dedicated application directory

✓ Legitimate use case: news monitoring and Telegram notifications

Scan Report

Findings 2 items

File Tree

Dependencies 2 items

Security Positives