Kraken CLI

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern

ASI02: Tool Misuse and Exploitation

What this means

An agent could use the raw private command to invoke state-changing Kraken endpoints such as withdrawals, transfers, or order operations without the documented alias-level confirmation guard.

Why it was flagged

The raw private path signs and dispatches arbitrary private Kraken endpoints, but unlike kraken_execute_alias it does not check endpoint metadata or call kraken_require_confirmation.

Skill content

kraken_execute_raw() { ... kraken_parse_request_flags "$@" ... private) signed="true"; kraken_require_private_env; path="$(kraken_normalize_raw_path "private" "$endpoint")" ... kraken_execute_request "$method" "$path" "$signed" }

Recommendation

Prefer the named aliases, remove or restrict raw private/futures raw access, and enforce confirmation for known state-changing raw paths before using real trading or withdrawal-capable API keys.

Concern

ASI02: Tool Misuse and Exploitation

What this means

If misused, the WebSocket command could send selected local file contents or private payloads to a non-Kraken WebSocket endpoint.

Why it was flagged

The WebSocket helper accepts a caller-supplied URL and can read a local message file and send it to that URL, which is broader than Kraken-only configured endpoints.

Skill content

case "--url":
      url = args[++i] ?? "";
...
case "--message-file":
      messages.push(readFileSync(args[++i] ?? "", "utf8"));
...
const ws = new WebSocket(url);
...
ws.send(message);

Recommendation

Use only the spot-public, spot-private, futures-public, or futures-private wrappers with configured Kraken URLs, and avoid message files containing secrets or unrelated local data.

Note

ASI03: Identity and Privilege Abuse

What this means

The skill can view account state and, if the API keys allow it, place trades, transfer funds, or request withdrawals.

Why it was flagged

The skill requires Kraken Spot and Futures credentials for private endpoints, which is expected for this integration but gives the skill the account permissions granted to those keys.

Skill content

- `KRAKEN_API_KEY`
- `KRAKEN_API_SECRET`
- `KRAKEN_FUTURES_API_KEY`
- `KRAKEN_FUTURES_API_SECRET`

Recommendation

Use the least-privileged Kraken API keys possible, avoid withdrawal permission unless specifically needed, and use separate keys for read-only versus trading workflows.

Note

ASI05: Unexpected Code Execution

What this means

A malicious or untrusted config file could run commands locally when the skill starts.

Why it was flagged

The CLI loads configuration by sourcing a shell file, which is a normal Bash pattern but executes any shell code in that file.

Skill content

if [ -n "${OPENCLAW_KRAKEN_CONFIG:-}" ]; then
    [ -f "$OPENCLAW_KRAKEN_CONFIG" ] || kraken_fail "config file not found: $OPENCLAW_KRAKEN_CONFIG"
    ...
    source "$OPENCLAW_KRAKEN_CONFIG"
  fi

Recommendation

Only point OPENCLAW_KRAKEN_CONFIG at trusted configuration files and prefer environment/secret injection for sensitive values.