ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kraken OpenAPI Skill

Operate Kraken public market APIs through UXC with a curated OpenAPI schema, market-first discovery, and explicit private-auth boundary notes.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 32 · 1 current installs · 1 all-time installs
by@jolestar
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md and the public OpenAPI (references/kraken-public.openapi.json) are consistent with a read-only Kraken public-market skill. However, the repo also contains references/kraken-spot-futures.openapi.json which documents private /0/private/* endpoints (balances, orders, etc.). Including that private-schema file conflicts with the stated public-only scope and is unnecessary for the described v1 behavior.
Instruction Scope
Runtime instructions stick to public reads via uxc and explicit link/inspect-before-run workflows. They do not instruct reading local secrets or accessing unrelated system paths. Guardrails emphasize read-only use and a private-auth boundary.
Install Mechanism
This is instruction-only (no install spec). The skill expects uxc to be installed and fetches a schema from raw.githubusercontent.com (a common release host). No arbitrary third-party binary downloads or extract operations are included in the skill itself.
Credentials
The skill declares no required env vars or credentials, which matches public-data-only usage. The presence of the separate 'spot-futures' OpenAPI file that defines private endpoints suggests potential future need for credentials—this is not requested now but is an unexplained artifact.
Persistence & Privilege
always:false and no unusual persistence or modification of other skills. Autonomous invocation is allowed (platform default) but not combined with broad credential access in this package.
What to consider before installing
Plain-language next steps and risks to consider before installing: - The skill itself is a read-only Kraken public-market helper and its runtime instructions are narrowly scoped to public endpoints. That is coherent with its description. - However, the package also includes a second OpenAPI file (references/kraken-spot-futures.openapi.json) that documents private/account endpoints (balances, add/cancel order). The SKILL.md instructs you to avoid private endpoints, so the presence of that file is unexplained — inspect it and ask the publisher why it is included before trusting the skill. - The skill relies on uxc and a schema fetched from raw.githubusercontent.com at runtime. Make sure you trust the uxc implementation and that the schema URL is the canonical one you expect; a malicious or tampered schema could cause unintended API calls. - There are no environment variables or credentials requested by this skill now, so it will not ask for your API keys. If you later enable private functionality, require a well-reviewed Kraken signer flow and explicitly scoped credentials. - If you are not familiar with uxc or do not trust the skill author, review the files locally (especially the spot/futures schema and scripts/validate.sh) and confirm the linked schema URL before enabling automatic invocation. If you want higher assurance, ask the skill publisher why the private OpenAPI file is included and request its removal (or justification) before use.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk974b0v4zw6ynxex1e9a74z8qs831n8w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Kraken REST Skill

Use this skill to run Kraken public market-data operations through uxc + OpenAPI.

Reuse the uxc skill for shared execution, auth, and error-handling guidance.

Prerequisites

  • uxc is installed and available in PATH.
  • Network access to https://api.kraken.com.
  • Access to the curated OpenAPI schema URL:
    • https://raw.githubusercontent.com/holon-run/uxc/main/skills/kraken-openapi-skill/references/kraken-public.openapi.json

Scope

This skill covers a curated Kraken public surface for:

  • server time
  • asset pair metadata
  • ticker reads
  • OHLC candles
  • order book snapshots

This skill does not cover:

  • private account or trade endpoints in v1
  • Kraken FIX
  • broader non-core platform products

Authentication

Public market endpoints in this skill do not require credentials.

Kraken private REST endpoints use provider-specific header signing and nonce handling. Keep this v1 skill public-data-only until a reusable Kraken signer flow exists in uxc.

Core Workflow

  1. Use the fixed link command by default:

    • command -v kraken-openapi-cli
    • If missing, create it: uxc link kraken-openapi-cli https://api.kraken.com --schema-url https://raw.githubusercontent.com/holon-run/uxc/main/skills/kraken-openapi-skill/references/kraken-public.openapi.json
    • kraken-openapi-cli -h

  2. Inspect operation help before execution:

    • kraken-openapi-cli get:/0/public/Time -h
    • kraken-openapi-cli get:/0/public/Ticker -h

  3. Prefer narrow pair reads first:

    • kraken-openapi-cli get:/0/public/Ticker pair=XBTUSD
    • kraken-openapi-cli get:/0/public/Depth pair=XBTUSD count=20

Operations

  • get:/0/public/Time
  • get:/0/public/AssetPairs
  • get:/0/public/Ticker
  • get:/0/public/OHLC
  • get:/0/public/Depth

Guardrails

  • Keep automation on the JSON output envelope; do not use --text.
  • Parse stable fields first: ok, kind, protocol, data, error.
  • Treat this v1 skill as read-only.
  • Kraken pair naming can differ from other venues. Check AssetPairs before assuming symbol strings.
  • kraken-openapi-cli <operation> ... is equivalent to uxc https://api.kraken.com --schema-url <kraken_public_openapi_schema> <operation> ....

References

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…