Crypto Prices
v1.1.0Fetch live cryptocurrency and commodity prices from verified sources with caching and fallback, ensuring accurate and up-to-date market data.
⭐ 0· 850·8 current·8 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The description claims the skill 'fetch[es] live cryptocurrency and commodity prices', but there are no code files implementing that behavior (no crypto_prices.py) and the manifest declares no required binaries or environments. The SKILL.md requires Python and a local module in ~/clawd, neither of which are declared — this is inconsistent and suggests the skill as published is incomplete or depends on out-of-band code.
Instruction Scope
Runtime instructions explicitly tell the agent to cd into ~/clawd and run python -c "from crypto_prices import ..." and to treat that local module as the single source of truth. That directs the agent to execute local, unverified code and to ignore web searches. Relying on an undeclared local module gives broad discretion to whatever file exists at that path and could execute arbitrary code; the instructions also reference provider fallbacks but do not supply the implementation.
Install Mechanism
There is no install spec (instruction-only), which normally reduces risk because nothing is written to disk by the skill. However, the skill's behavior depends on an external local module not supplied by the package. That absence changes the threat model: the skill itself won't install code, but it instructs the agent to run code that must exist elsewhere.
Credentials
The skill declares no required environment variables or credentials (which is plausible for public APIs like CoinGecko), but the SKILL.md requires access to a specific user path (~/clawd) and an unprovided module. The path requirement and expectation to execute local Python code are not reflected in the declared requirements and are therefore disproportionate and undeclared.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always: false, no installs). However, because it instructs the agent to import and execute a local module, it enables arbitrary code execution based on local files; that is an operational risk even without elevated privileges. No evidence the skill modifies other skills or system settings.
What to consider before installing
This package is missing the implementation it tells the agent to run. Do not install or enable it unless you trust the source and have the missing crypto_prices.py code reviewed. Ask the publisher for: (1) the crypto_prices.py module or a link to a trusted repository/release, (2) an explicit statement of required binaries (e.g., python3) and where the module should live, and (3) why the skill requires cd ~/clawd. If you must use it immediately, inspect the crypto_prices.py file before running: look for network endpoints, obfuscated code, or any code that reads other files or environment variables. Prefer a skill that either bundles its implementation or calls well-known remote APIs directly (with transparent network targets and optional API keys). Also note the package metadata/version in _meta.json doesn't match the registry metadata — ask the author to correct that before trusting the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97fe1tajg2s6g5v41yj66gwbx81e4re
License
MIT-0
Free to use, modify, and redistribute. No attribution required.