coinank-openapi

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

The agent may send your requested market-data parameters to CoinAnk to retrieve results.

Why it was flagged

The skill instructs the agent to make network requests with curl, but the destination is disclosed and aligned with the CoinAnk API purpose.

Skill content

使用 curl 执行请求... Base URL: 统一使用 `https://open-api.coinank.com`

Recommendation

Use the skill for intended CoinAnk data lookups and review requests that include unusual parameters before allowing them.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

Installing and using the skill gives the agent access to use your CoinAnk API key for CoinAnk API calls, which may affect account quota or subscription access.

Why it was flagged

The skill requires a CoinAnk API key and uses it as an HTTP header for CoinAnk requests; this is disclosed and expected for the service integration.

Skill content

`requires`: { `env`: [`COINANK_API_KEY`] } ... Auth: 从环境变量 `COINANK_API_KEY` 中获取 apikey 注入 Header

Recommendation

Use a dedicated CoinAnk API key with only the needed access level, keep it in the environment variable, and avoid exposing it in chat or logs.