Back to skill
Skillv1.0.2
ClawScan security
CoinMarketCap Exchange APIs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 4:39 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only CoinMarketCap exchange API reference whose declared purpose matches its instructions and it asks for no unexpected install or credentials.
- Guidance
- This skill is an API reference for CoinMarketCap exchange endpoints and appears internally consistent. Before installing: (1) Plan how the agent will supply the X-CMC_PRO_API_KEY securely — do not paste your API key into free-text prompts; use the platform's secret store if available. (2) Be aware examples use curl so any executed commands including your API key could be captured in shell history or logs — prefer ephemeral execution or masked logging. (3) The skill permits Bash and Read; while the documentation doesn't instruct reading files, ensure the agent is not granted unnecessary file access if you want to keep local secrets private. (4) Check your CoinMarketCap plan and rate limits/credit usage to avoid unexpected charges.
Review Dimensions
- Purpose & Capability
- okName/description, the included reference files, and runtime instructions all describe CoinMarketCap exchange endpoints (map, info, listings, quotes, market-pairs, assets). Nothing in the skill requests unrelated services, binaries, or configuration.
- Instruction Scope
- noteThe SKILL.md gives curl examples and explicitly requires the X-CMC_PRO_API_KEY header for API calls. The instructions do not ask the agent to read local files, environment variables, or send data to third-party endpoints beyond CoinMarketCap. Allowed-tools lists Bash and Read — Read could allow file reads in principle, but the skill's documented workflows do not instruct reading files or secrets from disk.
- Install Mechanism
- okThere is no install spec and no code files; this is instruction-only. That minimizes filesystem and network install risk.
- Credentials
- noteThe skill requires an API key to use the CMC Pro endpoints (documented as X-CMC_PRO_API_KEY) but does not declare or require platform environment variables. This is proportionate to the stated purpose, though users must supply the key to the agent via the platform's secret handling or direct header insertion when executing curl.
- Persistence & Privilege
- okalways is false and the skill is user-invocable with normal autonomous invocation allowed. The skill does not request persistent system presence or modify other skills/configs.