UPBIT market data get skill
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it says—fetch Upbit market data—but users should notice the npm dependency install and the optional API-key fields in its config.
This looks like a straightforward Upbit market-data CLI. Before installing, be comfortable with npm dependency installation, keep the config baseUrl pointed at the official Upbit API unless you intentionally change it, and do not add real Upbit API keys unless you have a specific need and can restrict their permissions.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you put real Upbit API keys in the config, you are storing sensitive exchange credentials for a skill whose current commands appear to only need public market-data access.
The documented config includes exchange API credential fields even though the listed commands are for public market data. The example leaves them blank, and the shown endpoints do not require auth, so this is a user-awareness note rather than a concern.
"upbit": { "baseUrl": "https://api.upbit.com", "accessKey": "", "secretKey": "" }Leave accessKey and secretKey blank unless you have verified a command truly needs them; if used, prefer restricted/read-only keys and avoid trade- or withdrawal-capable credentials.
Installing the skill may download third-party npm packages, and the exact allowed patch/minor versions can vary.
The npm install will resolve third-party packages using semver ranges rather than fully pinned exact versions. This is common for Node projects but means users should trust the package sources and dependency resolution.
"dependencies": { "jsonwebtoken": "^9.0.2", "uuid": "^10.0.0" }Review the dependencies before installation; for higher assurance, use a lockfile or pin exact versions in a controlled environment.