ClawHub

CoinMarketCap Market Overview APIs

Security checks across malware telemetry and agentic risk

Overview

This is a static CoinMarketCap API reference skill with disclosed API-key and read-only endpoint usage, though users should treat the key-info and community/content endpoints carefully.

Install if you want broad CoinMarketCap API help, not only market-cap or chart endpoints. Keep your CMC API key out of chat logs and code, prefer environment variables or a secret manager, and only call /v1/key/info when you intend to expose account quota and usage details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill manifest says this is a market-wide CoinMarketCap API reference, but the file actually documents content, news, posts, and comments endpoints. This scope mismatch can cause an agent to invoke unrelated capabilities, retrieve unintended user/community content, and violate least-privilege or user-expectation boundaries.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Including community posts, comments, and news aggregation in a market-metrics skill expands the skill beyond its justified scope and may steer an agent toward collecting or exposing user-generated content when only market data was expected. In this context, the mismatch increases risk because content endpoints can surface social data and sentiment-like signals that are materially different from neutral market metrics.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file documents utility endpoints for fiat mapping, key inspection, and price conversion even though the skill is described as market-wide API reference content. This scope mismatch can cause an agent to invoke endpoints unrelated to the declared purpose, expanding accessible functionality and increasing the chance of unintended disclosure or misuse of account-level data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Including `/v1/key/info` in a market-only skill exposes account usage, plan, and rate-limit details that are operationally sensitive and unrelated to market data retrieval. In an agent setting, this broadens the skill from informational market access to account introspection, which can leak billing and quota information or encourage unnecessary calls against sensitive endpoints.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill manifest describes a market-wide API reference, but this file documents additional capabilities including news retrieval, price conversion, API key usage inspection, and fiat ID mapping. That scope expansion can cause an agent to invoke endpoints handling account metadata or unrelated data domains that were not clearly declared, increasing the risk of overprivileged or unintended tool use.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The `/v1/key/info` section describes returning plan, usage, and rate-limit data without warning that these values are account-sensitive. In an agent context, this can normalize exposing operational metadata that may aid reconnaissance of service limits, billing posture, or tenant activity, especially because the endpoint is already out of scope for a market-data skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal