Bitpanda
v1.0.0Check your Bitpanda crypto portfolio, wallet balances, and trade history via CLI using your API key with read-only access.
⭐ 0· 559·0 current·0 all-time
byFlorian Beer@florianbeer
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (read-only Bitpanda portfolio) matches the actual code and SKILL.md: the script calls Bitpanda GET endpoints and reads an API key. However registry metadata at the top of the report claims no required env vars/credentials while skill.json and SKILL.md do declare/expect BITPANDA_API_KEY and a credentials file (~/.openclaw/credentials/bitpanda/config.json). This metadata discrepancy is an incoherence to be aware of.
Instruction Scope
Runtime instructions and the included bash script restrict themselves to reading the API key (env var or a single credentials file), calling Bitpanda API endpoints under https://api.bitpanda.com/v1, and printing formatted results. The script requires curl/jq/bc as documented. I saw no commands that read unrelated system files, call unexpected external endpoints, or transmit data to third parties.
Install Mechanism
There is no install spec — the skill is instruction + a bundled bash script. No downloads, package installs, or archive extraction occur in the provided files, which reduces install-time risk.
Credentials
The only credential used is an API key (BITPANDA_API_KEY) or a single local credentials file, which is appropriate for the stated purpose. However SKILL.md recommends scopes: Balance, Trade, Transaction — the 'Trade' scope may allow non-read operations depending on Bitpanda's scope model. The script itself only issues GET requests, but you should avoid granting write/transfer scopes if you want purely read-only access.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide configs, and only reads a credential file in its own credentials path. It does not persist new credentials or elevate privileges.
What to consider before installing
This skill largely does what it says: it reads a Bitpanda API key (env var or ~/.openclaw/credentials/bitpanda/config.json) and makes GET calls to Bitpanda's API to show balances and trades. Before installing: (1) Confirm the API key you create is strictly read-only — do NOT grant trading/transfer permissions; the SKILL.md's suggested 'Trade' scope may be broader than necessary. (2) Note the registry metadata in the portal omitted the required env/credentials but the package files do require BITPANDA_API_KEY; treat the package files as authoritative. (3) Inspect the full script yourself (the distributed scripts/bitpanda.sh) to ensure it matches the truncated preview and there are no hidden network endpoints. (4) Keep the credentials file private (chmod 600) and consider using an API key with the minimal scopes and limited lifetime. If you want higher assurance, run the script in a sandboxed environment or review/execute it manually rather than granting automated agent invocation.Like a lobster shell, security has layers — review code before you run it.
latest
Florian Beer@florianbeer
DownloadBitpanda Portfolio Skill
Check Bitpanda crypto portfolio, wallet balances, and trade history via CLI.
Auth
API key is read from (in order):
BITPANDA_API_KEYenvironment variable~/.openclaw/credentials/bitpanda/config.json→{"api_key": "..."}
Generate at: https://web.bitpanda.com/my-account/apikey Recommended scopes: Balance, Trade, Transaction
Commands
bitpanda portfolio # Non-zero wallets grouped by crypto/fiat/index
bitpanda wallets # All non-zero wallets with balances
bitpanda transactions --limit 20 # Recent trades
bitpanda transactions --flow buy # Buy trades only
bitpanda transactions --flow sell # Sell trades only
bitpanda asset BTC # Current price + your balance
Notes
- Read-only — no trading or transfers
- Assets in Bitpanda Earn/Staking are not exposed by the API and won't show in balances
- The
assetcommand uses the public ticker (no auth needed) for prices - Pagination is automatic
- Requires:
curl,jq,bc
Comments
Loading comments...