Bitpanda
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can retrieve and display your crypto balances, wallet IDs, and trade history when the skill is used.
The skill needs a Bitpanda API key with account-data scopes and can read it from a local credential file; this is purpose-aligned but sensitive.
API key is read from (in order): 1. `BITPANDA_API_KEY` environment variable 2. `~/.openclaw/credentials/bitpanda/config.json` ... Recommended scopes: **Balance**, **Trade**, **Transaction**
Use a dedicated least-privilege/read-only Bitpanda API key, avoid withdrawal or trading permissions, keep the credential file protected, and revoke the key when no longer needed.
Using the skill will bring Bitpanda account information into the command output and the agent conversation context.
The CLI sends authenticated HTTPS requests to Bitpanda; the visible behavior is read-oriented and aligned with the portfolio-viewing purpose.
API_BASE="https://api.bitpanda.com/v1" ... curl -s ... -H "X-Api-Key: $API_KEY" ... "$API_BASE$endpoint"
Invoke the skill only when you want the agent to see this account information, and review outputs before sharing the conversation or logs.
A user may not notice from the registry metadata alone that the skill needs a Bitpanda API key and local CLI dependencies.
The registry metadata lacks source/homepage provenance and under-declares the credential requirement that the included files describe.
Source: unknown Homepage: none ... Required env vars: none ... Primary credential: none
Read SKILL.md and skill.json before installing, and prefer installing only if you are comfortable with the visible script and its Bitpanda API use.