ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

UPBIT market data get skill

v1.0.2

Fetch market data from Upbit via CLI commands including pairs, candles, trades, tickers, orderbooks, and watchlist with JSON output.

0· 693·0 current·0 all-time
by@kuns9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (fetch Upbit market data) matches the code and SKILL.md: the CLI implements pairs, candles, trades, tickers, orderbooks, and a watchlist. The presence of an auth helper and config fields for accessKey/secretKey is reasonable for an API client even though market-data endpoints are public.
Instruction Scope
Runtime instructions are focused on running the CLI and creating a local config/config.json; the skill reads only that config (or an override path supplied via --config / UPBIT_SKILL_CONFIG). No instructions ask the agent to read unrelated files or exfiltrate data. Note: SKILL.md tells the user to store accessKey/secretKey in the config file — those are secrets kept in a local file and will be read by the skill.
Install Mechanism
This is an instruction-only skill with a package.json and source files; installation is a standard npm install of well-known packages (jsonwebtoken, uuid). There are no downloads from arbitrary URLs or extract steps in the manifest.
Credentials
The skill does not require environment credentials; it expects a local config JSON containing optional Upbit accessKey/secretKey and an optional baseUrl. That is proportionate for a client that may sign requests. Minor inconsistency: the code includes JWT signing (auth.js) and requests API keys in the config, but the provided market-data endpoints in endpoints.js call request() without authRequired=true, so authenticated signing is unused for the included public endpoints.
Persistence & Privilege
The skill does not request persistent installation privileges (always:false), does not modify other skills or system-wide settings, and only reads a config file path (or the path passed via --config). It sets UPBIT_SKILL_CONFIG only for the running process when --config is used.
Assessment
This skill appears to do what it says: a Node.js CLI that calls Upbit's public market endpoints and outputs JSON. Before installing or running it: 1) place any Upbit accessKey/secretKey only in a secure local config file (config/config.json) and avoid committing that file to VCS; the skill will read that file if you include keys. 2) If you do not need authenticated endpoints, you can leave the keys empty — the included market-data calls are public. 3) Be careful when overriding config with --config: pointing the tool at a file you don't control could expose secrets in that file to the process. 4) Verify the config.baseUrl if you change it — pointing it to a non-Upbit host would send requests (and any signed token) to that host. 5) The presence of JWT signing code is expected for authenticated Upbit APIs but is not used by the existing public endpoints; this is a minor inconsistency but not malicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk975c4d2as310grbjp2vv87ts9815235

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments