Back to skill
Skillv1.0.1
ClawScan security
CoinMarketCap Onchain Data APIs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 12:26 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Documentation-only skill that documents CoinMarketCap DEX API endpoints; requirements and instructions are coherent with its stated purpose.
- Guidance
- This skill is a documentation/reference pack for CoinMarketCap DEX APIs and appears internally consistent. Before installing: (1) plan to supply your CoinMarketCap API key securely (the docs use X-CMC_PRO_API_KEY but the registry metadata does not declare a primary credential); put the key into your agent's secret storage rather than pasting it into chat. (2) Note that allowed tools include Bash/Read — the examples run curl to pro-api.coinmarketcap.com; avoid giving the agent other sensitive values (wallet private keys, other API keys, or local file contents) when invoking this skill. (3) Confirm you trust the source (no homepage/source provided here) before sharing your API key. If you want tighter control, require user invocation only and do not allow autonomous invocation for this skill in your agent settings.
Review Dimensions
- Purpose & Capability
- okThe name/description and the provided reference files all describe CoinMarketCap DEX/on-chain APIs and the listed endpoints. There are no unexpected binaries, installs, or unrelated credential requests.
- Instruction Scope
- okSKILL.md is an API reference with curl examples and workflows that stay within the scope of querying CMC DEX endpoints (pro-api.coinmarketcap.com). It does not instruct reading arbitrary local files or sending data to third-party endpoints outside the documented API.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk or downloaded.
- Credentials
- noteThe documentation shows every request requires an X-CMC_PRO_API_KEY header (i.e., an API key). The registry metadata lists no required environment variables or primary credential. This is not a functional contradiction (the key can be provided at runtime), but it's a minor omission: the skill should declare that a CoinMarketCap API key is the primary credential so users know to supply it securely.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or modify other skills or system configuration. Allowed-tools includes Bash/Read, which is reasonable for curl examples; the skill itself does not instruct privileged actions.