ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

[Outdated] CoinMarketCap Onchain Data

v1.0.1

API reference for CoinMarketCap DEX endpoints including token lookup, pools, transactions, trending, and security analysis. Use this skill whenever the user...

0· 384·1 current·1 all-time
byCoinMarketCap@bryan-cmc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included API reference and examples. The documented capability (DEX token lookups, pools, security checks) aligns with the endpoints shown. However, SKILL.md declares a required credential (X-CMC_PRO_API_KEY) while the registry metadata lists no required environment variables or primary credential; that inconsistency suggests a packaging or metadata error.
Instruction Scope
Runtime instructions are limited to calling the CoinMarketCap pro-api endpoints (curl examples) and explain required headers, parameters, and workflows. The instructions do not direct the agent to read unrelated files, exfiltrate data to third parties, or access unrelated environment variables. Allowed tools include Bash and Read which are appropriate for making HTTP calls and reading the bundled reference docs.
Install Mechanism
No install spec and no code files beyond documentation are present, so nothing is written to disk or fetched at install time. This is low-risk from an install mechanism perspective.
!
Credentials
SKILL.md explicitly requires X-CMC_PRO_API_KEY (a single API key) which is proportionate to the stated purpose. The concern is that the registry metadata does not declare this credential; the mismatch could lead to unclear storage/handling expectations (e.g., whether the key is provided via skill config, env var, or live user input). Confirm how the platform will supply and protect that API key before installing.
Persistence & Privilege
The skill is not always-on, is user-invocable, and does not request elevated or persistent system privileges. It does not modify other skills or system-wide configs based on the provided materials.
What to consider before installing
This skill is primarily documentation and examples for CoinMarketCap's DEX API and appears technically coherent for that purpose, but note the mismatch: SKILL.md says an X-CMC_PRO_API_KEY is required while the registry metadata lists no credentials. Before installing, verify (1) the skill's source / publisher (the package lists 'unknown' and 'Outdated' in its name), (2) how and where you must supply your CMC API key (do not paste secrets into chat or free-text fields), and (3) that the platform will store the API key securely (prefer platform-managed secret storage or use request-time header injection). Also confirm rate limits and plan restrictions to avoid unexpected failures. If you plan to use the security checks for trading decisions, treat results as advisory and avoid automating funds movement based solely on these outputs.

Like a lobster shell, security has layers — review code before you run it.

archivevk97cnd8zt5wk1dv879rebmhcwn8240wflatestvk977ra7xyssvs04j55ztvxp7kn825rat

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments