ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CoinMarketCap Market Overview APIs

v1.0.1

API reference for CoinMarketCap market-wide endpoints including global metrics, fear/greed, indices, trending topics, and charts. Use this skill whenever the...

2· 544·1 current·1 all-time
byCoinMarketCap@bryan-cmc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an API reference for CoinMarketCap market endpoints and the included files exclusively document endpoints, parameters, examples, and use cases — which matches the name and description.
Instruction Scope
SKILL.md contains only API documentation and curl examples against pro-api.coinmarketcap.com; it does not instruct the agent to read unrelated local files, access unrelated credentials, or transmit data to third-party endpoints outside CoinMarketCap.
Install Mechanism
This is instruction-only with no install spec or downloaded code, so nothing is written to disk or installed at agent runtime.
Credentials
The documentation states all requests require the X-CMC_PRO_API_KEY header, but the skill metadata does not declare a primary credential or required env var. This is not malicious — the examples use a placeholder API key — but users should ensure they supply a valid CMC API key securely (the skill itself does not request unrelated secrets).
Persistence & Privilege
always:false and user-invocable:true. The skill does not request persistent presence or modify other skills or system configs; autonomous invocation is allowed by default but not combined with other red flags here.
Assessment
This skill is a documentation-only wrapper around CoinMarketCap's market APIs. Before using it, make sure you: (1) supply a valid CoinMarketCap API key (keep it secret and don’t paste it in public prompts); (2) understand API billing/credit limits and rate limits (examples reference rate-limit headers); and (3) be aware that the skill will make network requests to pro-api.coinmarketcap.com (no other endpoints are referenced). If you want the agent to call the API autonomously, provide the key via a secure credential mechanism rather than embedding it in prompts.

Like a lobster shell, security has layers — review code before you run it.

latestvk976dac5c6919sfevh29n2w8r1824ndh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments