ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CoinGecko OpenAPI Skill

v1.0.0

Operate CoinGecko and GeckoTerminal market data APIs through UXC with a curated OpenAPI schema, API-key auth, and read-first guardrails.

0· 140·1 current·1 all-time
by@jolestar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Skill description and included OpenAPI schema match the stated purpose (read-only CoinGecko and GeckoTerminal market data). However the registry metadata claims no required env vars or binaries while SKILL.md explicitly requires the uxc CLI, network access to api.coingecko.com, and API-key secrets (COINGECKO_DEMO_API_KEY / COINGECKO_PRO_API_KEY). That omission is a mismatch but not intrinsically malicious.
Instruction Scope
Runtime instructions remain within the stated read-only scope: link a coingecko-openapi-cli via uxc, inspect operation schemas, run GET operations, and bind API keys. The SKILL.md enforces JSON output and read-only guardrails. It references a raw.githubusercontent URL for the curated schema (also included locally), which is expected but worth noting as an external fetch target.
Install Mechanism
This is instruction-only (no install spec). The only executable file is a validation script that checks repository files; no downloads or archive extracts are performed by the skill itself. This is low-risk from an install mechanism perspective.
!
Credentials
The environment/credential demands in SKILL.md are proportionate to the purpose (a demo or pro API key header for CoinGecko). However the skill metadata declares no required env vars or primary credential while the instructions require COINGECKO_DEMO_API_KEY and optionally COINGECKO_PRO_API_KEY. That discrepancy is material because users may not realize they need to supply secrets.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always:false, no system-wide config writes described). The validation script only checks files and required local commands; it does not modify other skills or system configs.
What to consider before installing
This skill appears to do what it says (read-only CoinGecko/GeckoTerminal access via a curated OpenAPI schema), but there are a few practical mismatches you should confirm before installing: - The SKILL.md requires the uxc CLI on PATH, network access to api.coingecko.com, and an API key environment variable (COINGECKO_DEMO_API_KEY or COINGECKO_PRO_API_KEY). The registry metadata lists none of these — assume the SKILL.md is authoritative and ensure you are comfortable providing those secrets. - The required API keys are appropriate for this purpose, but follow best practices: store them in a secure secret store or scoped environment (as the guide suggests), and keep demo and pro keys separate. - The skill references an external raw.githubusercontent URL for the schema but also includes the schema locally; if you want to minimize external fetches, link using the local file or verify the remote URL before use. - The included scripts/validate.sh requires jq and rg (ripgrep) if you plan to run validation locally; it does not run automatically. If you are okay providing a CoinGecko API key and installing/using uxc, the skill is plausible. If you need the registry metadata to reflect runtime requirements, ask the publisher to update the declared required env vars and binaries before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97avm923s3d5nxt5yvmwe27rx830jaq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

CoinGecko And GeckoTerminal Skill

Use this skill to run CoinGecko market data and GeckoTerminal onchain DEX operations through uxc + OpenAPI.

Reuse the uxc skill for shared execution, auth, and error-handling guidance.

Prerequisites

  • uxc is installed and available in PATH.
  • Network access to https://api.coingecko.com/api/v3.
  • Access to the curated OpenAPI schema URL:
    • https://raw.githubusercontent.com/holon-run/uxc/main/skills/coingecko-openapi-skill/references/coingecko-market.openapi.json
  • A CoinGecko Demo API key.

Scope

This skill covers a read-first market data surface:

  • API liveness checks
  • spot price lookup
  • asset ID discovery
  • market screener reads
  • trending reads
  • GeckoTerminal network discovery
  • onchain token price lookup
  • trending pool reads

This skill does not cover:

  • paid or enterprise-only method families beyond the selected v1 scope
  • historical chart or OHLC families
  • portfolio, NFT, or onchain trade execution
  • the full CoinGecko or GeckoTerminal API

Authentication

The default host uses CoinGecko Demo auth with x-cg-demo-api-key.

Configure one API-key credential and bind it to api.coingecko.com/api/v3:

uxc auth credential set coingecko-demo \
  --auth-type api_key \
  --api-key-header x-cg-demo-api-key \
  --secret-env COINGECKO_DEMO_API_KEY

uxc auth binding add \
  --id coingecko-demo \
  --host api.coingecko.com \
  --path-prefix /api/v3 \
  --scheme https \
  --credential coingecko-demo \
  --priority 100

Validate the active mapping when auth looks wrong:

uxc auth binding match https://api.coingecko.com/api/v3

Pro Host Override

If you have a Pro plan, keep the same curated schema and create a separate credential, binding, and link:

uxc auth credential set coingecko-pro \
  --auth-type api_key \
  --api-key-header x-cg-pro-api-key \
  --secret-env COINGECKO_PRO_API_KEY

uxc auth binding add \
  --id coingecko-pro \
  --host pro-api.coingecko.com \
  --path-prefix /api/v3 \
  --scheme https \
  --credential coingecko-pro \
  --priority 100

uxc link coingecko-pro-openapi-cli https://pro-api.coingecko.com/api/v3 \
  --schema-url https://raw.githubusercontent.com/holon-run/uxc/main/skills/coingecko-openapi-skill/references/coingecko-market.openapi.json

Core Workflow

  1. Use the fixed link command by default:

    • command -v coingecko-openapi-cli
    • If missing, create it: uxc link coingecko-openapi-cli https://api.coingecko.com/api/v3 --schema-url https://raw.githubusercontent.com/holon-run/uxc/main/skills/coingecko-openapi-skill/references/coingecko-market.openapi.json
    • coingecko-openapi-cli -h

  2. Inspect operation schema first:

    • coingecko-openapi-cli get:/simple/price -h
    • coingecko-openapi-cli get:/coins/markets -h
    • coingecko-openapi-cli get:/onchain/simple/networks/{network}/token_price/{addresses} -h

  3. Prefer narrow read validation before broader reads:

    • coingecko-openapi-cli get:/ping
    • coingecko-openapi-cli get:/coins/list include_platform=false
    • coingecko-openapi-cli get:/onchain/networks

  4. Execute with key/value parameters:

    • coingecko-openapi-cli get:/simple/price ids=bitcoin,ethereum vs_currencies=usd
    • coingecko-openapi-cli get:/coins/markets vs_currency=usd ids=bitcoin,ethereum order=market_cap_desc per_page=10 page=1
    • coingecko-openapi-cli get:/onchain/simple/networks/{network}/token_price/{addresses} network=eth addresses=0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48

Operation Groups

Market Data

  • get:/ping
  • get:/simple/price
  • get:/coins/list
  • get:/coins/markets
  • get:/search/trending

GeckoTerminal Onchain Data

  • get:/onchain/networks
  • get:/onchain/simple/networks/{network}/token_price/{addresses}
  • get:/onchain/networks/trending_pools

Guardrails

  • Keep automation on the JSON output envelope; do not use --text.
  • Parse stable fields first: ok, kind, protocol, data, error.
  • Treat this v1 skill as read-only. Do not imply wallet, trading, or portfolio mutation support.
  • Demo and Pro hosts use different API-key headers. If the default Demo credential fails against the Pro host, create a separate Pro credential rather than reusing the Demo header name.
  • The Pro host needs its own auth binding on pro-api.coingecko.com/api/v3; creating only a credential is not enough for linked calls to send x-cg-pro-api-key.
  • CoinGecko public and Demo limits are tighter than Pro. Keep default examples narrow and avoid large paginated loops without explicit user intent.
  • The GeckoTerminal endpoints in this schema share the same API root and auth flow as the rest of the curated CoinGecko host contract.
  • coingecko-openapi-cli <operation> ... is equivalent to uxc https://api.coingecko.com/api/v3 --schema-url <coingecko_openapi_schema> <operation> ....

References

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…