CMC Kline Data Collector

PassAudited by VirusTotal on May 11, 2026.

Overview

Type: OpenClaw Skill Name: cmc-kline-data-collector Version: 1.0.0 The skill is a legitimate cryptocurrency data collector that fetches K-line data from CoinMarketCap's public API and calculates technical indicators (EMA, RSI). The code in `src/cmc_client.py` and `src/indicators.py` is well-structured and aligns with the stated purpose. While `SKILL.md` references specific local paths (e.g., `/home/admin/.openclaw/workspace/`), these appear to be environment-specific documentation rather than malicious instructions or backdoors.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI02: Tool Misuse and Exploitation

What this means

If directed to a bad path, the skill could overwrite a file the user can write to.

Why it was flagged

The output filename is caller-controlled and is opened for writing. File output is part of the skill's purpose, but users should avoid absolute paths, traversal paths, or overwriting important files.

Skill content

def save_json(self, kline: KlineData, filename: Optional[str] = None) -> str:
    ...
    filepath = self.output_dir / filename
    with open(filepath, "w", encoding="utf-8") as f:

Recommendation

Use the default output directory or safe relative filenames, and confirm before writing to existing or sensitive paths.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

A future or unexpected package version could behave differently from the version the author tested.

Why it was flagged

The skill documents installing the `requests` package without a pinned version. This is expected for HTTP access, but the dependency source/version is not locked by the artifacts.

Skill content

## 依赖

```bash
pip install requests
```

Recommendation

Install dependencies from a trusted package index and consider pinning a known-good `requests` version.

Note

ASI10: Rogue Agents

What this means

If enabled separately, the collector would keep running daily and writing output files until the cron job is removed.

Why it was flagged

The documentation describes a daily scheduled task. It is disclosed and aligned with routine data collection, and the provided install artifacts do not show automatic cron installation.

Skill content

0 9 * * * cd /home/admin/.openclaw/workspace/crypto-data-processor && python scripts/daily_kline.py --output /home/admin/.openclaw/workspace/crypto-data-processor/output/daily_$(date +\%Y\%m\%d).json

Recommendation

Only enable the cron task if you want recurring collection, and verify the referenced script and output path before use.