ClawHub

Upbit OpenAPI Skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears limited to public read-only Upbit market data, with a minor caution that it relies on UXC and an unpinned remote schema URL.

This skill looks appropriate for read-only Upbit public market data. Before installing or using it, make sure you trust UXC and the schema source, consider using a pinned or local schema, and verify the regional Upbit host and market symbol before running requests.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Info
What this means

The agent may make live public market-data requests to Upbit through UXC, but the reviewed artifacts do not show private account access or trading actions.

Why it was flagged

The skill directs use of UXC to create and run a CLI for external API calls. This is central to the stated purpose and the documented operations are public read-only endpoints.

Skill content
`uxc link upbit-openapi-cli https://sg-api.upbit.com --schema-url https://raw.githubusercontent.com/holon-run/uxc/main/skills/upbit-openapi-skill/references/upbit-public.openapi.json`
Recommendation

Confirm the regional host and market code before use, and keep use limited to the documented read-only operations.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

If the remote schema changes later, the available API operations may differ from the local schema included in this review.

Why it was flagged

The link command pulls the OpenAPI schema from a GitHub `main` branch URL rather than a pinned commit or packaged local path, so the runtime schema could change independently of the reviewed artifact.

Skill content
`--schema-url https://raw.githubusercontent.com/holon-run/uxc/main/skills/upbit-openapi-skill/references/upbit-public.openapi.json`
Recommendation

Prefer the included local schema or a pinned commit URL when possible, and review any remote schema before linking it.