Crypto Price
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: crypto-price Version: 0.2.2 The OpenClaw AgentSkills skill bundle is benign. The `SKILL.md` file contains instructions for the AI agent on how to format its output to display charts (`MEDIA: <chart_path>`), which is a functional prompt injection aligned with the skill's purpose and not malicious. The `get_price_chart.py` script interacts with legitimate cryptocurrency APIs (CoinGecko, Hyperliquid), uses standard Python libraries, and stores temporary cache and chart files in the `/tmp` directory. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation. All network calls are to known public endpoints, and the `matplotlib` dependency is standard for plotting.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the agent may run the included script and attach a generated chart image.
The skill instructs the agent to execute a local bundled Python script with a user-selected token and duration; this is necessary for the stated charting function and is clearly disclosed.
python3 {baseDir}/scripts/get_price_chart.py <SYMBOL> [duration]Use the skill when you are comfortable with local script execution for crypto chart generation, and review output before relying on it.
Installing dependencies may pull the current compatible matplotlib release and its transitive dependencies.
The charting dependency is declared with a lower-bound version rather than an exact pin; this is purpose-aligned but leaves package resolution to the user environment.
matplotlib>=3.5.0
Install dependencies from a trusted package index, preferably in a virtual environment; pin versions if you need reproducible installs.
Token symbols and requested timeframes may be sent to CoinGecko or Hyperliquid.
The skill sends market-data requests to named third-party APIs; this is disclosed and central to the price lookup purpose, with no credentials or private local data shown.
Hyperliquid API - For HYPE and other Hyperliquid tokens (preferred) ... CoinGecko API - Fallback for other tokens
Avoid treating queried symbols or timing as private, and independently verify prices before making financial decisions.
Repeated requests may return recently cached public market data rather than freshly fetched data.
The skill temporarily reuses cached public price data; this is disclosed and short-lived, but users should know results may come from cache.
Price data cached for 300 seconds (5 minutes) in `/tmp/crypto_price_*.json`.
If freshness matters, wait for cache expiry or clear the relevant /tmp cache files before retrying.