ClawHub

CoinMarketCap Onchain Data APIs

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only CoinMarketCap DEX API reference skill, with normal API-key curl examples and no hidden code or destructive behavior.

Safe to install for CoinMarketCap DEX API reference work. Use an environment variable or secret manager for your CMC API key, review any curl command before running it, and treat token risk or trending data as informational rather than trading advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger and description are broad enough to activate this skill for common token-lookup or security-check requests, potentially causing the agent to over-select this skill outside its narrow intended use. In an agent environment, overly broad invocation scope can route unrelated requests to tooling that encourages API usage or on-chain analysis workflows, increasing the chance of unnecessary external calls and inappropriate handling of user queries.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to supply an API key in request headers and shows a literal header example, but provides no warning about keeping secrets out of logs, transcripts, screenshots, or shared shell history. In a tool-using agent context, this omission is risky because users or downstream automation may paste real credentials into commands that are echoed, stored, or exposed in shared outputs.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The example embeds an API key header pattern directly in a shell command without any warning about secret handling. In practice, users often paste such commands into terminals, docs systems, CI logs, or shared screenshots, which can lead to accidental credential disclosure even if the placeholder value is not a real key.

Missing User Warnings

Low
Confidence
92% confidence
Finding
These additional curl examples repeat the same unsafe documentation pattern by showing direct API key header usage without any accompanying handling guidance. Because this skill is an API reference likely to be copied verbatim by developers, the context slightly increases the chance of negligent secret exposure through terminal history, notebooks, support tickets, or source control.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal