ClawHub

Bitpanda

v1.0.0

Check your Bitpanda crypto portfolio, wallet balances, and trade history via CLI using your API key with read-only access.

0· 549·0 current·0 all-time
byFlorian Beer@florianbeer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (read-only Bitpanda portfolio) matches the actual code and SKILL.md: the script calls Bitpanda GET endpoints and reads an API key. However registry metadata at the top of the report claims no required env vars/credentials while skill.json and SKILL.md do declare/expect BITPANDA_API_KEY and a credentials file (~/.openclaw/credentials/bitpanda/config.json). This metadata discrepancy is an incoherence to be aware of.
Instruction Scope
Runtime instructions and the included bash script restrict themselves to reading the API key (env var or a single credentials file), calling Bitpanda API endpoints under https://api.bitpanda.com/v1, and printing formatted results. The script requires curl/jq/bc as documented. I saw no commands that read unrelated system files, call unexpected external endpoints, or transmit data to third parties.
Install Mechanism
There is no install spec — the skill is instruction + a bundled bash script. No downloads, package installs, or archive extraction occur in the provided files, which reduces install-time risk.
Credentials
The only credential used is an API key (BITPANDA_API_KEY) or a single local credentials file, which is appropriate for the stated purpose. However SKILL.md recommends scopes: Balance, Trade, Transaction — the 'Trade' scope may allow non-read operations depending on Bitpanda's scope model. The script itself only issues GET requests, but you should avoid granting write/transfer scopes if you want purely read-only access.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide configs, and only reads a credential file in its own credentials path. It does not persist new credentials or elevate privileges.
What to consider before installing
This skill largely does what it says: it reads a Bitpanda API key (env var or ~/.openclaw/credentials/bitpanda/config.json) and makes GET calls to Bitpanda's API to show balances and trades. Before installing: (1) Confirm the API key you create is strictly read-only — do NOT grant trading/transfer permissions; the SKILL.md's suggested 'Trade' scope may be broader than necessary. (2) Note the registry metadata in the portal omitted the required env/credentials but the package files do require BITPANDA_API_KEY; treat the package files as authoritative. (3) Inspect the full script yourself (the distributed scripts/bitpanda.sh) to ensure it matches the truncated preview and there are no hidden network endpoints. (4) Keep the credentials file private (chmod 600) and consider using an API key with the minimal scopes and limited lifetime. If you want higher assurance, run the script in a sandboxed environment or review/execute it manually rather than granting automated agent invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f1hk3w4x2xwr36aqnyzpeex81598p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments