ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CoinMarketCap Crypto APIs

v1.0.3

API reference for CoinMarketCap cryptocurrency endpoints including quotes, listings, OHLCV, trending, and categories. Use this skill whenever the user mentio...

1· 597·2 current·2 all-time
byCoinMarketCap@bryan-cmc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the contents: the files are API reference docs and curl examples for CoinMarketCap crypto endpoints. Nothing requested (no env vars, no binaries, no installs) is disproportionate to an API reference.
Instruction Scope
SKILL.md contains concrete curl examples that show how to include an X-CMC_PRO_API_KEY header but does not declare or read any environment variables or system files. This is appropriate for a docs-only skill, but implementers/agents will need to supply an API key at runtime to actually make requests.
Install Mechanism
There is no install spec and no code files — lowest-risk instruction-only skill. Nothing is downloaded or written to disk by the skill itself.
Credentials
The skill does not request any credentials, config paths, or environment variables. The docs merely show a placeholder header value (your-api-key). This is proportionate for a reference.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request permanent presence or modify other skills or system settings.
Assessment
This is a documentation/reference skill (curl examples and endpoint descriptions) for the official CoinMarketCap pro API and appears internally consistent. It does not request or store credentials itself — you will need to supply your CoinMarketCap API key if you want the agent to run the provided curl commands. Before using the skill to make live requests: (1) only provide your API key when you trust the agent and environment, (2) avoid pasting your API key into public logs or shared chat, and (3) verify the agent will call the official base URL (https://pro-api.coinmarketcap.com) and not an unexpected third-party endpoint. If you want stricter control, keep the skill installed but do not provide the API key unless needed.

Like a lobster shell, security has layers — review code before you run it.

latestvk978vcp29en71r7ska6439tpg1824zfv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments