ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CoinGlass API SKILL

v1.1.0

CoinGlass API skill. Routes to the appropriate sub-skill based on user intent. Covers futures, ETF, options, spots, on-chain, indicators, account, and other...

1· 56·0 current·0 all-time
byCoinGlass@coinglass-official
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (crypto market data across futures, spots, ETF, on-chain, etc.) match the provided API.md files and routing table. Requiring curl is reasonable for an instruction-only wrapper that runs HTTP requests.
!
Instruction Scope
The SKILL.md and per-endpoint API.md files instruct the agent to call CoinGlass endpoints via curl and include a CG-API-KEY header in examples (e.g. CG-API-KEY: ${YOUR_API_KEY}). The skill's root instructions tell the agent to read the sub-skill API.md files and follow them. There are no instructions to read local files, system configs, or unrelated environment variables, but the explicit use of ${YOUR_API_KEY} in many examples implies the agent will need an API key even though none is declared.
Install Mechanism
Instruction-only skill with no install spec and no code files — no files are written to disk and nothing is downloaded or executed beyond curl-initiated HTTP requests.
!
Credentials
Many API examples expect a CG-API-KEY header (placeholder ${YOUR_API_KEY}) but the registry metadata lists no required environment variables or primary credential. That mismatch is an incoherence: the skill will function only if an API key is provided, but it doesn't declare how the platform will receive/store that key. This omission increases risk of accidental key exposure if users paste keys into chat or otherwise supply them insecurely.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. There is no install or behavior that attempts to modify other skills or system configuration.
What to consider before installing
This skill is a documentation-style wrapper around the CoinGlass REST API and will make HTTP requests to open-api-v4.coinglass.com using curl. Before installing: 1) Expect to need a CoinGlass API key — the API docs show a CG-API-KEY header, but the skill does not declare any required env var or primary credential; confirm how you will provide the key on this platform. 2) Only provide a read-only / limited-scope API key (if possible); do not paste high-privilege or account-management keys into chat. 3) Verify the skill's source (the homepage points to a GitHub repo) and confirm it's the official integration. 4) Review which endpoints you will call — most examples are GET/read-only, but avoid supplying API keys with write/trade permissions. 5) If you need stronger assurances, ask the publisher to update the skill metadata to declare a required environment variable for the API key (so the platform handles it securely) and to document expected key scope.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ad1yfd1hfh1n3s0jt0h8k183w2dw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl

Comments