← Back to Skills Marketplace
zhdryanchang

Skill Discovery Monitor

by zhdryanchang · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
283
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install skill-discovery-monitor
Description
Monitor and discover popular skills across platforms with daily reports, analytics, usage flowcharts, and multi-channel notifications.
Usage Guidance
Do not install or run this skill without addressing the embedded credentials and metadata inconsistencies. Specific steps to consider before proceeding: - Treat the SkillPay API key found in skill.json/README as compromised; do not reuse it. Ask the publisher to remove any hard-coded keys and publish a version that requires you to set your own SKILLPAY_API_KEY in environment variables. - Confirm with the maintainer why registry metadata lists no required env vars while SKILL.md and code expect many tokens; prefer a manifest that accurately declares all required secrets. - If you must run this code for testing, do so in a sandboxed environment (isolated VM/container) with fake/test keys and no access to sensitive accounts. - Review/rotate any real credentials you might have exposed while evaluating this skill (especially SkillPay or SMTP credentials). - Audit the SkillPay account (if you control it) for unexpected activity, and ensure payment callbacks are validated (the code uses in-memory subscription storage and marks subscriptions active on POST /payment/callback — consider adding signature verification). - If you don't trust the author or cannot get the hard-coded key removed, avoid installing this skill because the embedded key increases risk of payment/account misuse.
Capability Analysis
Type: OpenClaw Skill Name: skill-discovery-monitor Version: 1.0.0 The skill bundle is a functional multi-platform monitoring tool designed to discover trending skills and packages from Clawhub, GitHub, and npm. The code logic is transparent, well-documented, and aligns perfectly with its stated purpose of providing analytics and notifications (Telegram, Discord, Email) for developers. While it contains a hardcoded API key in 'skill.json' and 'README.md' (a credential exposure vulnerability) and some unused dependencies like 'cheerio', these appear to be artifacts of template-based development rather than intentional malice. No evidence of data exfiltration, unauthorized execution, or prompt injection was found.
Capability Assessment
Purpose & Capability
The name/description match the code: scrapers for Clawhub/GitHub/npm, flowchart generation, scheduled reports, and multi-channel notifications. However, registry metadata claims no required env vars or credentials while both SKILL.md and the code actually require multiple credentials (SKILLPAY_API_KEY, TELEGRAM_BOT_TOKEN, DISCORD_WEBHOOK_URL, EMAIL credentials, optional CLAWHUB/GITHUB tokens). That mismatch between declared registry metadata and the skill's own docs/code is inconsistent and should be questioned.
Instruction Scope
SKILL.md describes running an Express API, endpoints (/discover, /notify, /subscribe, etc.), and environment variables needed for operation — that matches the code. The runtime instructions do not request unrelated system files or weird data collection beyond userId/transactionId/subscription info. The main scope creep risk is the payment flow (SkillPay) which will accept callbacks and mark subscriptions active; that behavior is described in code and docs.
Install Mechanism
There is no external download/install script; typical Node.js package.json and dependencies are used. Dependencies are standard for scraping, HTTP serving, notifications, and scheduling. No high-risk external URLs or archive downloads are present in the manifest.
Credentials
The code and SKILL.md require multiple credentials appropriate for the described features (telegram/discord/email tokens, optional platform tokens, and a SkillPay API key for payments), but the registry metadata declared none — an inconsistency. Critically, the repository/skill.json and README embed a concrete SkillPay API key value (apiKey: sk_e390b52c...), which appears to be a secret included in published files. Hard-coded API credentials in the bundle are a major concern: anyone with that key could call SkillPay endpoints as the skill, manipulate payment verification, or view/modify payment resources tied to that key. This is disproportionate and dangerous if left as-is.
Persistence & Privilege
The skill does not request always:true or modify other skills; it runs an HTTP server and schedules tasks in-process. Autonomous invocation is allowed (default) — combined with the embedded payment key and network access this increases blast radius, but autonomous invocation itself is not unusual.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install skill-discovery-monitor
  3. After installation, invoke the skill by name or use /skill-discovery-monitor
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Discover trending skills across Clawhub, GitHub Actions, and npm. Features include multi-platform monitoring, usage flowcharts, feature summaries, and scheduled daily reports with SkillPay integration.
Metadata
Slug skill-discovery-monitor
Version 1.0.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Skill Discovery Monitor?

Monitor and discover popular skills across platforms with daily reports, analytics, usage flowcharts, and multi-channel notifications. It is an AI Agent Skill for Claude Code / OpenClaw, with 283 downloads so far.

How do I install Skill Discovery Monitor?

Run "/install skill-discovery-monitor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Discovery Monitor free?

Yes, Skill Discovery Monitor is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Skill Discovery Monitor support?

Skill Discovery Monitor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill Discovery Monitor?

It is built and maintained by zhdryanchang (@zhdryanchang); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 Comments