Back to skill
Skillv1.0.1
ClawScan security
CoinMarketCap Market Overview APIs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 4:39 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only API reference for CoinMarketCap market endpoints and is internally consistent with its stated purpose.
- Guidance
- This skill is a documentation-only wrapper around CoinMarketCap's market APIs. Before using it, make sure you: (1) supply a valid CoinMarketCap API key (keep it secret and don’t paste it in public prompts); (2) understand API billing/credit limits and rate limits (examples reference rate-limit headers); and (3) be aware that the skill will make network requests to pro-api.coinmarketcap.com (no other endpoints are referenced). If you want the agent to call the API autonomously, provide the key via a secure credential mechanism rather than embedding it in prompts.
Review Dimensions
- Purpose & Capability
- okThe skill is an API reference for CoinMarketCap market endpoints and the included files exclusively document endpoints, parameters, examples, and use cases — which matches the name and description.
- Instruction Scope
- okSKILL.md contains only API documentation and curl examples against pro-api.coinmarketcap.com; it does not instruct the agent to read unrelated local files, access unrelated credentials, or transmit data to third-party endpoints outside CoinMarketCap.
- Install Mechanism
- okThis is instruction-only with no install spec or downloaded code, so nothing is written to disk or installed at agent runtime.
- Credentials
- noteThe documentation states all requests require the X-CMC_PRO_API_KEY header, but the skill metadata does not declare a primary credential or required env var. This is not malicious — the examples use a placeholder API key — but users should ensure they supply a valid CMC API key securely (the skill itself does not request unrelated secrets).
- Persistence & Privilege
- okalways:false and user-invocable:true. The skill does not request persistent presence or modify other skills or system configs; autonomous invocation is allowed by default but not combined with other red flags here.