Kraken CLI
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a coherent Kraken trading CLI, but it includes broad raw/private account actions that can bypass the advertised confirmation guard for high-impact financial operations.
Install only if you are comfortable giving an agent access to Kraken API keys. Use read-only or narrowly scoped keys where possible, avoid withdrawal-enabled keys unless necessary, and do not use raw private/futures raw or arbitrary WebSocket URLs unless you have manually reviewed the exact command.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could use the raw private command to invoke state-changing Kraken endpoints such as withdrawals, transfers, or order operations without the documented alias-level confirmation guard.
The raw private path signs and dispatches arbitrary private Kraken endpoints, but unlike kraken_execute_alias it does not check endpoint metadata or call kraken_require_confirmation.
kraken_execute_raw() { ... kraken_parse_request_flags "$@" ... private) signed="true"; kraken_require_private_env; path="$(kraken_normalize_raw_path "private" "$endpoint")" ... kraken_execute_request "$method" "$path" "$signed" }Prefer the named aliases, remove or restrict raw private/futures raw access, and enforce confirmation for known state-changing raw paths before using real trading or withdrawal-capable API keys.
If misused, the WebSocket command could send selected local file contents or private payloads to a non-Kraken WebSocket endpoint.
The WebSocket helper accepts a caller-supplied URL and can read a local message file and send it to that URL, which is broader than Kraken-only configured endpoints.
case "--url":
url = args[++i] ?? "";
...
case "--message-file":
messages.push(readFileSync(args[++i] ?? "", "utf8"));
...
const ws = new WebSocket(url);
...
ws.send(message);Use only the spot-public, spot-private, futures-public, or futures-private wrappers with configured Kraken URLs, and avoid message files containing secrets or unrelated local data.
The skill can view account state and, if the API keys allow it, place trades, transfer funds, or request withdrawals.
The skill requires Kraken Spot and Futures credentials for private endpoints, which is expected for this integration but gives the skill the account permissions granted to those keys.
- `KRAKEN_API_KEY` - `KRAKEN_API_SECRET` - `KRAKEN_FUTURES_API_KEY` - `KRAKEN_FUTURES_API_SECRET`
Use the least-privileged Kraken API keys possible, avoid withdrawal permission unless specifically needed, and use separate keys for read-only versus trading workflows.
A malicious or untrusted config file could run commands locally when the skill starts.
The CLI loads configuration by sourcing a shell file, which is a normal Bash pattern but executes any shell code in that file.
if [ -n "${OPENCLAW_KRAKEN_CONFIG:-}" ]; then
[ -f "$OPENCLAW_KRAKEN_CONFIG" ] || kraken_fail "config file not found: $OPENCLAW_KRAKEN_CONFIG"
...
source "$OPENCLAW_KRAKEN_CONFIG"
fiOnly point OPENCLAW_KRAKEN_CONFIG at trusted configuration files and prefer environment/secret injection for sensitive values.