CoinMarketCap MCP
v1.0.3Fetches cryptocurrency market data, prices, technical analysis, news, and trends using the CoinMarketCap MCP. Use for ANY question involving cryptocurrencies...
⭐ 1· 520·1 current·1 all-time
byCoinMarketCap@bryan-cmc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's declared functionality (fetching CMC market data via MCP tools) aligns with the tools listed in SKILL.md and the required CoinMarketCap API key; however the registry metadata provided with the skill notes 'Required env vars: none' and 'Primary credential: none' while SKILL.md clearly declares a required credential (X-CMC-MCP-API-KEY). This metadata mismatch is inconsistent and should be corrected/clarified.
Instruction Scope
SKILL.md contains explicit, narrow instructions for which MCP tools to call for particular data types and how to handle errors. However, it also instructs the agent to 'use for ANY question involving cryptocurrencies... even if the user doesn't explicitly ask for data' and to 'err on the side of fetching more data.' That is aggressive: it may cause frequent external API calls for incidental mentions, increasing privacy exposure and rate-limit / cost risk. The instructions do not request unrelated system files or secrets.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. The runtime surface is the platform's tool invocation, not downloaded code. No suspicious download or extract behavior is present.
Credentials
SKILL.md requires a CoinMarketCap MCP API key (X-CMC-MCP-API-KEY) and shows storing it in an mcpServers configuration entry. That credential is appropriate for the stated purpose. The concern is the registry metadata/requirements in the skill listing do not reflect this (they show no required env/primary credential), creating an ambiguity about where/how the key is expected to be provided and stored. Also, because the skill encourages broad/autonomous use, the API key could be used frequently — check key permissions, quotas, and monitoring.
Persistence & Privilege
always is false (good). The SKILL.md references storing the API key in agent settings (mcpServers), which implies the skill expects to read/write its own config; that's normal. The combination of autonomous invocation (platform default) with the skill's broad trigger rules is notable — if you want to limit external calls, require explicit user consent before each external API usage or restrict triggers.
What to consider before installing
What to check before installing:
- Confirm the registry metadata vs SKILL.md: SKILL.md requires a CoinMarketCap MCP API key (X-CMC-MCP-API-KEY). Make sure the platform will prompt for and securely store that key (mcpServers), and fix the metadata mismatch.
- Review how/when the skill is invoked: SKILL.md says to trigger on any crypto mention and to 'fetch more data' by default — this may cause many external API calls, exposing user queries to CoinMarketCap and consuming API quota or incurring costs. Consider requiring explicit user permission before calls for incidental mentions.
- Limit API-key permissions and monitor usage: use a key with minimal necessary scopes, check rate limits, and enable monitoring/alerts on the account so unexpected use is detected quickly.
- Privacy and data exposure: be aware that user queries and any data sent to MCP will go to CoinMarketCap. If you handle sensitive portfolio or account info, consider whether sending it to the third-party API is acceptable.
- If you need higher assurance: ask the maintainer (repo/homepage) to update the skill listing to declare required credentials in registry metadata and to document exactly how the key is stored and when the skill will call external tools. That clarification would raise confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk9702gz3p76x3mzdfde9dbm409824cde
License
MIT-0
Free to use, modify, and redistribute. No attribution required.