ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CoinMarketCap Exchange APIs

v1.0.2

API reference for CoinMarketCap exchange endpoints including exchange info, volume, market pairs, and assets. Use this skill whenever the user mentions excha...

0· 462·1 current·1 all-time
byCoinMarketCap@bryan-cmc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, the included reference files, and runtime instructions all describe CoinMarketCap exchange endpoints (map, info, listings, quotes, market-pairs, assets). Nothing in the skill requests unrelated services, binaries, or configuration.
Instruction Scope
The SKILL.md gives curl examples and explicitly requires the X-CMC_PRO_API_KEY header for API calls. The instructions do not ask the agent to read local files, environment variables, or send data to third-party endpoints beyond CoinMarketCap. Allowed-tools lists Bash and Read — Read could allow file reads in principle, but the skill's documented workflows do not instruct reading files or secrets from disk.
Install Mechanism
There is no install spec and no code files; this is instruction-only. That minimizes filesystem and network install risk.
Credentials
The skill requires an API key to use the CMC Pro endpoints (documented as X-CMC_PRO_API_KEY) but does not declare or require platform environment variables. This is proportionate to the stated purpose, though users must supply the key to the agent via the platform's secret handling or direct header insertion when executing curl.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. The skill does not request persistent system presence or modify other skills/configs.
Assessment
This skill is an API reference for CoinMarketCap exchange endpoints and appears internally consistent. Before installing: (1) Plan how the agent will supply the X-CMC_PRO_API_KEY securely — do not paste your API key into free-text prompts; use the platform's secret store if available. (2) Be aware examples use curl so any executed commands including your API key could be captured in shell history or logs — prefer ephemeral execution or masked logging. (3) The skill permits Bash and Read; while the documentation doesn't instruct reading files, ensure the agent is not granted unnecessary file access if you want to keep local secrets private. (4) Check your CoinMarketCap plan and rate limits/credit usage to avoid unexpected charges.

Like a lobster shell, security has layers — review code before you run it.

latestvk976y2f0b0h22cp9vf9ndaj9mh825rzy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments