NOFX AI500 Report

Generate periodic crypto market intelligence reports from the NOFX AI500 system. Monitors coin selections, analyzes OI (Open Interest), institutional fund fl...

Before installing, consider the following: - Hard-coded API key/base: ai500-report.py contains BASE = "https://nofxos.ai" and KEY = "cm_568c67eae410d912c54c" and monitor.sh falls back to the same values. This means the bundled scripts will use that embedded key unless you explicitly override it with environment variables. Treat that as a secret; do not assume it's yours. Either remove the hard-coded key or replace it with your own key before running. - Metadata vs reality mismatch: The registry metadata lists no required env vars, but runtime docs and scripts require a NOFX API base, an API key, and a Telegram chat ID. Expect to provide these manually; the listing is incomplete. - Persistence: The skill asks you to create cron jobs that will run periodically and will write a known-list file under your HOME. Review and approve the cron payloads and file paths; consider running them in a controlled/isolated sessionTarget if possible. - SSL snippet is insecure: SKILL.md suggests creating an unverified SSL context to avoid cert issues. Do not disable SSL verification in production — instead fix certificate/trust issues or use proper TLS verification. - Optional external services: The video pipeline docs mention Remotion/Playwright/ffmpeg and Minimax TTS (api.minimax.chat). Those are optional but involve additional network calls and possibly API keys; if you enable video/TTS, verify what credentials and external endpoints are used. - Minimal mitigations: (1) Remove or rotate any hard-coded credentials and supply your own via environment variables. (2) Inspect the cron job payloads and set sessionTarget to isolated if available. (3) Run the scripts in a sandboxed environment first and monitor network traffic if you are concerned about where requests go. (4) If you do not trust the hardcoded key's owner, do not rely on it — replace it or block outgoing requests to that endpoint. Given these inconsistencies and the embedded key, proceed only after you have removed the hard-coded credentials or fully understood and accepted the implications of using them.

Type: OpenClaw Skill Name: nofx-ai500-report Version: 1.3.0 The skill is designed to generate crypto market reports and send them to a user-specified Telegram channel, which involves legitimate network access and scheduled execution (cron jobs). However, it contains a hardcoded API key (`cm_568c67eae410d912c54c`) in `scripts/monitor.sh` and `references/ai500-report.py`, which is a security vulnerability. Additionally, `SKILL.md` notes the use of `ssl._create_unverified_context()` for Python, which disables SSL certificate verification and is a significant security anti-pattern. While these are vulnerabilities rather than direct malicious intent, the combination of powerful capabilities (cron job creation, network access, file system writes to `$HOME/.openclaw/workspace/`) and these security flaws makes the skill suspicious.