ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

coinank-openapi

v1.0.2

call coinank openapi to get data

0· 507·2 current·2 all-time
by@annata
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (coinank-openapi) match the declared requirement (COINANK_API_KEY) and the included OpenAPI reference files; allowed network host is the CoinAnk OpenAPI URL. There are no unrelated env vars, binaries, or install steps requested.
Instruction Scope
SKILL.md restricts runtime actions to checking COINANK_API_KEY, reading README.md and selected OpenAPI JSON files under references/, validating parameters, and issuing curl requests to https://open-api.coinank.com with the apikey header. It does not instruct reading unrelated system files or sending data to other endpoints. It does ask to 'log detailed errors' but does not specify writing to sensitive system paths.
Install Mechanism
No install spec — instruction-only skill. No downloads or package installs are declared, which is the lowest-risk install profile.
Credentials
Only one credential is required (COINANK_API_KEY) and it is declared as the primary credential. That credential is appropriate and necessary for calling the CoinAnk API. No other sensitive env vars or cross-service keys are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modifications. It does not require enabling itself permanently or altering other skills' configurations.
Assessment
This skill appears to do what it says: it will read the included OpenAPI JSON files and README and then call https://open-api.coinank.com using the COINANK_API_KEY you supply (sent in the HTTP header). Before installing, confirm you trust coinank.com and are comfortable exposing the API key to that external service. Use a key with minimal privileges if possible and rotate or revoke the key if you stop using the skill. Note that the skill may log request errors (check where agent logs are stored) — avoid putting high-privilege or unrelated secrets into the same environment.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

EnvCOINANK_API_KEY
Primary envCOINANK_API_KEY
latestvk97738h0053p3pm9yf208nwfeh825bja
507downloads
0stars
3versions
Updated 5h ago
v1.0.2
MIT-0
@annata
latest
Download

权限声明

SECURITY MANIFEST:

- Allowed to read: {baseDir}/README.md, {baseDir}/references/*.json

- Allowed to make network requests to: https://open-api.coinank.com

工作流 (按需加载模式)

当用户提出请求时,请严格执行以下步骤:

  1. 检查API密钥:首先检查环境变量 COINANK_API_KEY 是否存在。如果不存在,提示用户设置API密钥。
  2. 阅读README:仔细阅读README.md
  3. 目录索引:扫描 {baseDir}/references/ 目录下的所有文件名,确定哪些 OpenAPI 定义文件与用户需求相关。
  4. 精准读取:仅读取选定的 .json 文件,分析其 pathsparametersrequestBody。其中paths内是一个对象,对象的key就是path
  5. 构造请求:使用 curl 执行请求。
    • Base URL: 统一使用 https://open-api.coinank.com(或从 JSON 的 servers 字段提取)。
    • Auth: 从环境变量 COINANK_API_KEY 中获取 apikey 注入 Header。
    • 如果参数有endTime,尽量传入最新的毫秒级时间戳
    • OpenAPI文档内的时间戳都是示例.如果用户没有指定时间,请使用最新的时间和毫秒级时间戳

注意事项

  • 禁止全量加载:除非用户请求涉及多个领域,否则禁止同时读取多个 JSON 文件。
  • 参数校验:在发起请求前,必须根据 OpenAPI 定义验证必填参数是否齐全。
  • 错误处理:当请求失败时,向用户显示友好的提示信息,并记录详细的错误日志。
  • API密钥配置:用户需要自行设置环境变量 COINANK_API_KEY,例如:export COINANK_API_KEY="your_api_key"

Comments

Loading comments...