Bitpanda
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: bitpanda Version: 1.0.0 The OpenClaw skill 'bitpanda' is classified as benign. All files (SKILL.md, scripts/bitpanda.sh, skill.json, README.md) consistently describe and implement a read-only interface to the Bitpanda API for checking portfolio, wallet balances, and trade history. The `scripts/bitpanda.sh` script correctly loads the API key from environment variables or a local credentials file and uses it to make `GET` requests to the legitimate `https://api.bitpanda.com/v1` endpoint. There is no evidence of data exfiltration to unauthorized endpoints, malicious code execution, persistence mechanisms, or prompt injection attempts against the AI agent. The script's actions are fully aligned with its stated purpose and security claims.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can retrieve and display your crypto balances, wallet IDs, and trade history when the skill is used.
The skill needs a Bitpanda API key with account-data scopes and can read it from a local credential file; this is purpose-aligned but sensitive.
API key is read from (in order): 1. `BITPANDA_API_KEY` environment variable 2. `~/.openclaw/credentials/bitpanda/config.json` ... Recommended scopes: **Balance**, **Trade**, **Transaction**
Use a dedicated least-privilege/read-only Bitpanda API key, avoid withdrawal or trading permissions, keep the credential file protected, and revoke the key when no longer needed.
Using the skill will bring Bitpanda account information into the command output and the agent conversation context.
The CLI sends authenticated HTTPS requests to Bitpanda; the visible behavior is read-oriented and aligned with the portfolio-viewing purpose.
API_BASE="https://api.bitpanda.com/v1" ... curl -s ... -H "X-Api-Key: $API_KEY" ... "$API_BASE$endpoint"
Invoke the skill only when you want the agent to see this account information, and review outputs before sharing the conversation or logs.
A user may not notice from the registry metadata alone that the skill needs a Bitpanda API key and local CLI dependencies.
The registry metadata lacks source/homepage provenance and under-declares the credential requirement that the included files describe.
Source: unknown Homepage: none ... Required env vars: none ... Primary credential: none
Read SKILL.md and skill.json before installing, and prefer installing only if you are comfortable with the visible script and its Bitpanda API use.