coinank-openapi
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: coinank-openapi Version: 1.0.2 The `SKILL.md` instructs the AI agent to construct `curl` commands for API interaction. While the network requests are restricted to a specific domain (`https://open-api.coinank.com`), the instructions do not explicitly detail input sanitization for user-provided parameters (e.g., `symbol`, `exchange`, `endTime`, `size`) when building these `curl` commands. This creates a potential shell injection vulnerability if the AI agent's execution environment does not adequately sanitize user input before executing shell commands, allowing for unauthorized command execution. However, there is no clear evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints or persistence mechanisms within the skill bundle.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may send your requested market-data parameters to CoinAnk to retrieve results.
The skill instructs the agent to make network requests with curl, but the destination is disclosed and aligned with the CoinAnk API purpose.
使用 curl 执行请求... Base URL: 统一使用 `https://open-api.coinank.com`
Use the skill for intended CoinAnk data lookups and review requests that include unusual parameters before allowing them.
Installing and using the skill gives the agent access to use your CoinAnk API key for CoinAnk API calls, which may affect account quota or subscription access.
The skill requires a CoinAnk API key and uses it as an HTTP header for CoinAnk requests; this is disclosed and expected for the service integration.
`requires`: { `env`: [`COINANK_API_KEY`] } ... Auth: 从环境变量 `COINANK_API_KEY` 中获取 apikey 注入 HeaderUse a dedicated CoinAnk API key with only the needed access level, keep it in the environment variable, and avoid exposing it in chat or logs.