Back to skill
Skillv1.0.3
ClawScan security
CoinMarketCap Crypto APIs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 4:39 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is an instruction-only API reference for CoinMarketCap cryptocurrency endpoints and its requests and instructions are consistent with that purpose.
- Guidance
- This is a documentation/reference skill (curl examples and endpoint descriptions) for the official CoinMarketCap pro API and appears internally consistent. It does not request or store credentials itself — you will need to supply your CoinMarketCap API key if you want the agent to run the provided curl commands. Before using the skill to make live requests: (1) only provide your API key when you trust the agent and environment, (2) avoid pasting your API key into public logs or shared chat, and (3) verify the agent will call the official base URL (https://pro-api.coinmarketcap.com) and not an unexpected third-party endpoint. If you want stricter control, keep the skill installed but do not provide the API key unless needed.
Review Dimensions
- Purpose & Capability
- okThe name/description match the contents: the files are API reference docs and curl examples for CoinMarketCap crypto endpoints. Nothing requested (no env vars, no binaries, no installs) is disproportionate to an API reference.
- Instruction Scope
- noteSKILL.md contains concrete curl examples that show how to include an X-CMC_PRO_API_KEY header but does not declare or read any environment variables or system files. This is appropriate for a docs-only skill, but implementers/agents will need to supply an API key at runtime to actually make requests.
- Install Mechanism
- okThere is no install spec and no code files — lowest-risk instruction-only skill. Nothing is downloaded or written to disk by the skill itself.
- Credentials
- okThe skill does not request any credentials, config paths, or environment variables. The docs merely show a placeholder header value (your-api-key). This is proportionate for a reference.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request permanent presence or modify other skills or system settings.