ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Coinw Spot Skill

v1.5.0

Coinw Spot REST API skill: covers market data, order placement/cancellation, order queries, account balances, and asset transfers.

1· 133·0 current·0 all-time
by@connectcoinw

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for connectcoinw/coinw-spot-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Coinw Spot Skill" (connectcoinw/coinw-spot-skill) from ClawHub.
Skill page: https://clawhub.ai/connectcoinw/coinw-spot-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: COINW_API_KEY, COINW_SECRET_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install coinw-spot-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install coinw-spot-skill
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (CoinW spot trading + market data) align with the requested environment variables COINW_API_KEY and COINW_SECRET_KEY and the documented endpoints; no unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md provides detailed API endpoints and signing instructions and explicitly asks users to provide api_key/secret_key in chat and promises the agent will mask and store them in OpenClaw credential storage. Requesting credentials and showing how to sign requests is expected for a trading skill, but instructing users to paste secrets into chat can expose them if the platform storage/handling is misconfigured or if the agent logs are visible.
Install Mechanism
Instruction-only skill with no install spec or downloaded artifacts; minimal install risk because nothing is written to disk by an installer.
Credentials
Only two environment variables (API key and secret) are required, which is proportionate for a REST API trading skill. No extra unrelated secrets or config paths are requested.
!
Persistence & Privilege
The skill is flagged always: true. That forces the skill to be included in every agent context, increasing its runtime exposure and attack surface. Combined with the ability to accept/store API credentials and perform trading actions, this elevated persistence is a meaningful risk and should be justified or removed.
What to consider before installing
This skill appears to be a legitimate CoinW spot API integration, but exercise caution before enabling it: 1) always:true: the skill will be force-loaded into every agent run — ask why this is necessary; prefer skills that are only loaded when explicitly enabled. 2) Credentials: only provide an API key with the minimum permissions needed (e.g., read-only if you only need market data; avoid enabling withdrawals). Use IP whitelisting for the API key and enable 2FA on your account. 3) Avoid pasting high-privilege secrets into chat logs unless you trust the platform credential storage; verify how OpenClaw stores/masks secrets. 4) Verify the skill author/source (registry owner ID and missing homepage are weak provenance signals) — prefer official CoinW-published integrations or code hosted on an auditable repo. 5) Monitor account activity and be ready to revoke API keys if anything unexpected occurs. If you cannot confirm why always:true is set, treat this as a strong reason not to install or to ask the skill author/maintainer to remove that flag.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

EnvCOINW_API_KEY, COINW_SECRET_KEY
latestvk97a69qf5vyjmbwbcssb1wkepd85fw97
133downloads
1stars
5versions
Updated 4d ago
v1.5.0
MIT-0
@connectcoinw
latest
Download

Coinw Spot Skill

Coinw Spot REST API skill: covers market data, order placement/cancellation, order queries, account balances, and asset transfers.

Setup Credentials

CoinW private endpoints require api_key and a request signature (sign).

Signing note: Spot endpoints use Spot MD5 uppercase signing. Do not use Contract HMAC-SHA256 signing for Spot APIs.

  1. Environment variables:
export COINW_API_KEY="your_api_key"
export COINW_SECRET_KEY="your_secret_key"
  1. In chat: provide api_key/secret_key (and an account name). The agent will mask secrets when showing them back and store them securely in OpenClaw's credential storage (not inside skill markdown files).

Key Features

  • Market data: trading pairs, 24h summary, order book, recent trades, K-line data, hot volume stats
  • Trading actions: place order, cancel order / cancel all orders
  • Query and account: order query, trade history, spot balances, asset transfer

Quick Reference

Market Information

No.nameEndpointDescriptionMethodAuthenticationInput ParametersOutput Parameters
1.1Get trading pair information/api/v1/public?command=returnSymbolReturns detailed information for all spot pairs, including min/max order price, quantity limits, and precision.GETPubliccurrencyPair, currencyBase, currencyQuote, maxBuyCount, minBuyCount, pricePrecision, countPrecision, minBuyAmount, maxBuyAmount, and 12 total fields
1.2Get 24h ticker summary for all pairs/api/v1/public?command=returnTickerReturns 24h summary metrics for all available pairs, including last price, best bid/ask, and volume.GETPublicid, last, lowestAsk, highestBid, percentChange, isFrozen, high24hr, low24hr, baseVolume
1.4Get order book/api/v1/public?command=returnOrderBookQueries spot order book data for a specified pair. Supports 5-level or 20-level depth.GETPublicsize, symbolasks, quantity, price, bids, quantity, price, pair
1.5Get recent trades/api/v1/public?command=returnTradeHistoryQueries recent trade records for a specified pair, including amount, price, total, time, side, and trade ID.GETPublicsymbolid, type, price, amount, total, time, pair
1.6Get K-line data/api/v1/public?command=returnChartDataQueries K-line (candlestick) data for a specified pair, including OHLC and volume.GETPubliccurrencyPair, perioddate, high, low, open, close, volume, pair
1.7Get 24h volume for hot pairs/api/v1/public?command=return24hVolumeReturns 24h volume summary for popular pairs and market totals (such as BTC/ETH/USDT-related metrics).GETPublicdata, totalETH, totalUSDT, totalBTC, ETH_USDT, ETH, USDT, LTC_CNYT, LTC, and 28 total fields

Place Orders

No.nameEndpointDescriptionMethodAuthenticationInput ParametersOutput Parameters
2.1Place order/api/v1/private?command=doTradePlaces a spot order by specifying order type, amount, price, and external order ID.POSTPrivateapi_key, sign, symbol, type, amount, rate, isMarket, out_trade_noorderNumber
2.2Cancel order/api/v1/private?command=cancelOrderCancels an unfilled spot order by order ID.POSTPrivateapi_key, sign, orderNumberclientOrderId
2.3Cancel all orders/api/v1/private?command=cancelAllOrderCancels all unfilled orders for a specified trading pair.POSTPrivateapi_key, sign, currencyPairmsg

Query Orders

No.nameEndpointDescriptionMethodAuthenticationInput ParametersOutput Parameters
3.1Get open orders/api/v1/private?command=returnOpenOrdersReturns all current unfilled orders for a specified pair, including order ID, time, amount, and status.POSTPrivateapi_key, sign, currencyPair, startAt, endAtorderNumber, date, startingAmount, total, type, prize, success_count, success_amount, status
3.2Get historical orders/api/v1/private?command=getUserTradesRetrieves historical orders across pairs, with optional symbol filtering. Up to 100 records per request.POSTPrivateapi_key, sign, symboltradeId, orderId, price, size, side, orderType, time, fee, before, and 10 total fields
3.3Batch get historical orders/v1/private?command=getBatchHistoryOrdersBatch query historical orders (last 3 months) by order ID list (see api-doc 3.3 for details).POSTPrivateapi_key, sign, orderIdsdata, orderId, date, side, type, dealSize, dealFunds, dealAvgPrice, fee, and 16 total fields
3.4Get order details/api/v1/private?command=returnOrderTradesReturns detailed information for a specified order ID.POSTPrivateapi_key, sign, orderNumbertradeID, currencyPair, type, amount, success_amount, total, success_total, fee, date, and 10 total fields
3.5Get order status/api/v1/private?command=returnOrderStatusQueries order status by order ID, including pair, side, amount, execution status, and timestamp.POSTPrivateapi_key, sign, orderNumbercurrencyPair, type, total, startingAmount, status, date
3.6Get trade history/api/v1/private?command=returnUTradeHistoryReturns trade history records for a specified pair.POSTPrivateapi_key, sign, currencyPairtradeID, type, amount, success_amount, total, success_count, fee, prize, date, and 11 total fields

Account Information

No.nameEndpointDescriptionMethodAuthenticationInput ParametersOutput Parameters
4.1Get spot account balance/api/v1/private?command=returnBalancesRetrieves available balances in the user's spot account across supported assets.POSTPrivateapi_key, signdata, msg
4.2Get complete spot balances/api/v1/private?command=returnCompleteBalancesRetrieves full spot balance details, including available balances and order-frozen balances.POSTPrivateapi_key, signdata, available, onOrders
4.7Asset transfer/api/v1/private?command=spotWealthTransferTransfers assets between the spot account and funding account for fund management.POSTPrivateapi_key, sign, accountType, targetAccountType, bizType, coinCode, amountdata, msg

Common Parameters and Enums

Auth and URL

  • Base URL: https://api.coinw.com.
  • Public REST: GET/POST https://api.coinw.com/api/v1/public?command=....
  • Private REST: usually POST https://api.coinw.com/api/v1/private?command=..., with api_key and sign (MD5, see Reference) in query/body.
  • Some docs show /v1/private?command=... alongside /api/v1/private; follow actual implementation.

command values (private/public endpoints covered in this file)

cancelAllOrder, cancelOrder, doTrade, getBatchHistoryOrders, getUserTrades, return24hVolume, returnBalances, returnChartData, returnCompleteBalances, returnOpenOrders, returnOrderBook, returnOrderStatus, returnOrderTrades, returnSymbol, returnTicker, returnTradeHistory, returnUTradeHistory, spotWealthTransfer

Common request fields

  • symbol / currencyPair: trading pair, for example BTC_USDT (field names vary by endpoint).
  • isMarket: market-order related; type: order type; rate / amount / funds: price, quantity, or amount (see order placement section).

Standard response wrapper (common in REST)

  • Common top-level fields: code, msg / message, success, failed, data (actual response varies by endpoint).

Common enums

  • failed: true/false; indicates whether request failed.
  • isFrozen: freeze status: 0 = no, 1 = yes.
  • side:BUY/SELL
  • state: pair status: 1 = active, 2 = disabled.
  • status: 1 = unfilled, 2 = partially filled, 3 = fully filled, 4 = user canceled; order status may also include 5 = triggered, 6 = trigger failed.
  • success: true/false; indicates whether request succeeded.
  • type (orders, such as in batch history): LIMIT, MARKET, HL_LIMIT, PLANNING, STOP_LIMIT_ORDER, SMART_MARKET_ORDER, ICEBERG, etc.

Examples

GET (public endpoint)

curl "https://api.coinw.com/api/v1/public?command=returnSymbol"

Auth required (private endpoint)

params="api_key=$COINW_API_KEY&amount=0.001&funds=1&isMarket=1&out_trade_no=1&rate=40000&symbol=BTC_USDT"
sign_string="$params&secret_key=$COINW_SECRET_KEY"
sign=$(echo -n "$sign_string" | openssl md5 | cut -d' ' -f2 | tr '[:lower:]' '[:upper:]')
curl -X POST "https://api.coinw.com/api/v1/private?command=doTrade&$params&sign=$sign"

Security

When showing credentials to users:

  • API Key: Show first 4 + last 5 characters: 12&*1...198I
  • Secret Key: Always mask, show only last 4: ***...isf1
  • Ask for user confirmation before any trade action.
  • Store user api_key and secret_key in a secure location.

Agent Behavior

  1. Credentials requested: Mask secrets (show last 5 chars only)
  2. Listing accounts: Show names never keys
  3. New credentials: Prompt for name, signing mode

Adding New Accounts

When user provides new credentials:

  • Ask for account name
  • Store the provided credentials in OpenClaw's secure credential store with masked display confirmation

Reference

  • Authentication./references/Authentication.md
  • errorcode: ./references/error-codes.md
  • notes: ./references/notes.md
  • api-key create steps: ./references/api-key-creation-steps.md

Comments

Loading comments...