ClawHub

[Outdated] CoinMarketCap Onchain Data

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only CoinMarketCap DEX API reference with disclosed API-key use and no evidence of hidden, destructive, or persistent behavior.

Install this only if you want an agent to reference CoinMarketCap DEX API endpoints. Review curl commands before running them, provide a real CMC API key only for intended requests, avoid pasting or logging secrets, and note that the package metadata marks this skill as outdated and points users to a newer onchain-data skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger and description are broad enough to activate on generic token, contract address, or security-check requests that may not specifically require this CoinMarketCap DEX skill. Over-broad routing can cause the agent to pull in the wrong capability, increasing the chance of unnecessary credential use, confused-deputy behavior, or sending user queries to an external API when a narrower/local response would be more appropriate.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill instructs users to place an API key in request headers and shows an example containing the secret-bearing header, but it does not explicitly warn against sharing, logging, echoing, or hardcoding that credential. In an agent setting, missing credential-handling guidance can lead to accidental secret exposure in prompts, transcripts, tool output, or generated code snippets copied into insecure contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal