CoinGlass API SKILL

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only CoinGlass API skill that makes user-directed read-only API requests, but users should handle API keys and wallet lookups carefully.

Install only if you are comfortable letting the agent make CoinGlass API requests with your API key. Treat CG-API-KEY as a secret, prefer environment variables or a secret store, redact it from logs and shared prompts, and only run wallet/address lookups for legitimate user-approved purposes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (9)

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The documentation instructs users to place a live `CG-API-KEY` in request headers but provides no warning about secret handling, storage, redaction, or avoiding exposure in logs, screenshots, or shared snippets. In an API skill context this can lead to accidental credential leakage and unauthorized use of the user's CoinGlass account quota or subscription tier.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill documents endpoints that retrieve wallet positions and user-address-specific position data without any privacy warning or use constraints. In an agent setting, this can normalize surveillance-style lookups of identifiable wallet activity and may lead users or downstream systems to query sensitive financial data without considering privacy, consent, or policy boundaries.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The examples instruct use of a live API key header but provide no warning about secret handling, storage, or redaction. In agent and tooling environments, this increases the risk that users paste real credentials into prompts, logs, shell history, telemetry, or generated code, leading to credential exposure and unauthorized API use.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill repeatedly instructs users to send a live API key in an HTTP header and shows example commands without any warning about secret handling, shell history exposure, logging, or safe storage. In agent or shared-terminal contexts, this increases the chance that credentials are copied into prompts, persisted in logs, or exposed through process history and debugging output.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill repeatedly instructs users to pass `CG-API-KEY` in curl headers but provides no warning about protecting secrets from shell history, terminal logging, process inspection, or accidental sharing in transcripts. While using an API key in an HTTP header is normal, omitting basic secret-handling guidance in a copy-pasteable skill increases the likelihood of credential exposure and downstream API abuse.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation instructs users to place the API key directly in a curl header, but provides no warning about shell history, process listings, CI logs, terminal recording, or copied command transcripts exposing that credential. In an agent-skill context, examples are often reused verbatim and may be surfaced in logs or tool traces, which makes accidental credential disclosure more likely even though the file itself is only documentation.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill documentation instructs users to send a CG-API-KEY in outbound requests to a third-party service but does not warn about credential sensitivity, storage, logging, or external transmission. In an agent setting, this can lead to accidental key exposure in logs, prompts, screenshots, or unsafe reuse, especially when users may not realize the request leaves their environment.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The example instructs users to send a `CG-API-KEY` header to an external CoinGlass endpoint without any warning that credentials are being transmitted off-platform. In an agent-skill context, this can lead users or calling systems to expose API keys to a third-party service without explicit consent or handling guidance, increasing the risk of accidental credential disclosure or misuse.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill includes example requests that instruct use of a live `CG-API-KEY` in calls to an external API but provides no warning that credentials will be transmitted off-platform. In an agent setting, this can normalize secret disclosure and lead users or downstream tooling to send sensitive API keys to third-party services without explicit consent or handling guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal