CoinGecko OpenAPI Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a disclosed, read-only CoinGecko/GeckoTerminal API helper that uses API-key auth and a remote OpenAPI schema, with no artifact evidence of hidden writes, exfiltration, or destructive behavior.
Before installing, make sure you trust the UXC tool and the OpenAPI schema source, use a CoinGecko key you are comfortable delegating for market-data reads, and keep calls narrow to avoid unnecessary API quota usage.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API calls made through the skill can use the user's CoinGecko credential and may consume rate limits or plan quota.
The skill asks the user to configure a CoinGecko API-key credential through UXC; this is expected for CoinGecko access, but it grants the tool use of the user's API quota and account plan.
uxc auth credential set coingecko-demo --auth-type api_key --api-key-header x-cg-demo-api-key --secret-env COINGECKO_DEMO_API_KEY
Use a dedicated CoinGecko key if possible, keep it in an environment secret, and verify the UXC binding is limited to the intended CoinGecko host and path.
If the remote schema changes, the generated CLI behavior could differ from the bundled artifact reviewed here, though the documented base host remains CoinGecko.
The runtime link uses an external raw GitHub schema URL on the main branch rather than only the bundled schema; this is central to the skill but means the schema source and future changes should be trusted.
uxc link coingecko-openapi-cli https://api.coingecko.com/api/v3 --schema-url https://raw.githubusercontent.com/holon-run/uxc/main/skills/coingecko-openapi-skill/references/coingecko-market.openapi.json
Prefer a pinned or locally reviewed schema when available, and confirm the schema URL points to the expected project before linking it.