Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bitpanda V2
v1.0.0Interagisci con l'API Bitpanda per ottenere dati grezzi di portafoglio, trade e prezzi senza aggregazioni, con gestione completa di pagination ed errori.
⭐ 0· 132·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, SKILL.md and the included script all consistently implement a Bitpanda API client, which is coherent with the stated purpose. However, the registry metadata declares no required environment variables or primary credential while the SKILL.md and scripts require a BITPANDA_API_KEY. This mismatch between metadata and actual runtime requirements is an incoherence and should be fixed.
Instruction Scope
SKILL.md and scripts limit actions to calling Bitpanda endpoints using curl/jq, handling pagination and errors. The instructions do not ask the agent to read unrelated system files or contact endpoints other than Bitpanda. The README does instruct the user to persist an API key in shell environment files, which is a user choice but not out-of-scope for this client.
Install Mechanism
There is no install spec and the skill is instruction-only plus a shell script included in the bundle. No downloads or archive extraction are performed. This is low-risk from an install perspective.
Credentials
The tool legitimately needs one API credential (BITPANDA_API_KEY), which is proportionate. The problem is the registry metadata does not list this required env var nor a primary credential, creating an information gap. SKILL.md also instructs users how to persist the key in shell rc files — a common practice but one that increases exposure of the secret to local processes and backups.
Persistence & Privilege
The skill does not request permanent/always-on privileges and does not modify other skills or system-wide settings. It simply runs as a CLI script when invoked.
What to consider before installing
This skill appears to be a straightforward Bitpanda API client and not obviously malicious, but there are packaging inconsistencies you should address before installing or using it with a real key:
- Metadata mismatch: The registry lists no required environment variables, but the script and SKILL.md clearly require BITPANDA_API_KEY. Treat this as a red flag until the publisher updates metadata to declare the credential.
- Secrets handling: The script expects the API key in BITPANDA_API_KEY or as a parameter. Avoid pasting high-privilege API keys into ~/.bashrc or other persistent files unless you understand the risk. Prefer creating a least-privilege Bitpanda API key (only the permissions needed) and consider using a temporary or read-only key for testing.
- Verify endpoints: SKILL.md references developer.bitpanda.com (the docs site) while the script uses https://api.bitpanda.com. Confirm the correct base URL and endpoint paths against Bitpanda's official docs before use.
- Local review: Because this is a shell script, review it yourself (or have someone you trust review) for any logging, network calls, or accidental echoing of secrets. The included script appears to only send requests to Bitpanda and print results, but it has some brittle jq selectors and minor logic bugs (e.g., how trades are concatenated) — test in a safe environment first.
If you decide to proceed: create a least-privilege API key, test with non-critical account data or a sandbox, and request the publisher to update the registry metadata to declare BITPANDA_API_KEY as the primary credential and to correct doc/script discrepancies.Like a lobster shell, security has layers — review code before you run it.
latestvk970z7yqnax3xwnaj1j7ry8nxd8345pz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.