Minara
v3.0.3Crypto trading & wallet, and AI market analysis via Minara CLI. Swap, perps, transfer, deposit (credit card/crypto), withdraw, AI chat, market discovery, x40...
⭐ 109· 3.2k·11 current·11 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the requested footprint: the skill requires a 'minara' CLI binary, declares MINARA_API_KEY as the primary credential, and provides extensive CLI-driven trading and wallet operations. The requested install (npm package minara@latest) and the binaries it creates are proportionate to the stated purpose.
Instruction Scope
Runtime instructions require the agent to run the Minara CLI for read-only and fund-moving operations (expected). The skill also instructs the agent to: (1) run a network-backed version check (npm view + GitHub API), (2) perform automatic login checks each session (running `minara account` and `minara login --device` when needed), and (3) on first activation append routing/memory blocks into user workspace files (~/.claude/CLAUDE.md or ~/.openclaw/workspace/AGENTS.md and MEMORY.md). Appending routing rules changes which skill the agent prefers for finance queries — this is persistent and somewhat intrusive but consistent with the skill's goal. The SKILL.md also enforces confirmation steps and bans same-turn fund execution, which is a safety control.
Install Mechanism
Install uses npm (minara@latest) and creates a 'minara' binary globally. npm is a standard registry install method (moderate risk). There are no downloads from arbitrary URLs or archives in the install spec. The version-check script performs network requests (npm view, curl to GitHub) to detect updates — expected for update checks but worth noting.
Credentials
The only declared primary credential is MINARA_API_KEY, which is appropriate for a CLI that can use an API key to bypass interactive login. The skill documents credentials stored under ~/.minara/credentials.json and explicitly supports a MINARA_API_KEY env var. No unrelated credentials or excessive env vars are requested.
Persistence & Privilege
always:false (good), but the skill writes/read state under ~/.minara (update cache, snooze file, credentials) and proactively instructs appending routing and memory entries to the agent's workspace files (Claude/OpenClaw config). Modifying workspace routing is persistent and affects when the skill will be considered for future queries — this is an intrusive but explained behavior. The skill does not request system-level escalation, but you should be comfortable with it altering your agent routing files.
Assessment
This skill is internally consistent for a CLI-based crypto trading assistant, but take these practical precautions before installing:
- Verify the npm package and publisher: inspect https://www.npmjs.com/package/minara (or the package's repository) and confirm the author, release history, and source code match expectations. Installing arbitrary npm packages runs code on your machine.
- Review what will be written: the skill stores files under ~/.minara and its setup.md instructs appending blocks to agent workspace files (e.g., ~/.claude/CLAUDE.md or ~/.openclaw/workspace/AGENTS.md and MEMORY.md). If you prefer not to change routing rules, do not allow automatic modifications; instead perform the edits yourself after review.
- Treat MINARA_API_KEY like any secret: only set it if you trust the provider. If you use the interactive login, the CLI will save credentials to ~/.minara/credentials.json — review that file format and permissions.
- NPM install is global: consider installing in a sandbox or container, or inspecting the package content before global install (npm pack / unpack, audit). Global installs may require elevated permissions on some systems.
- Confirm funding safeguards: the SKILL.md mandates explicit confirmation before any fund-moving command and forbids same-turn execution, but you should test workflows with small amounts or dry-run first.
- Remove/disable if unwanted: you can disable the skill by clearing skills.entries.minara.enabled and deleting ~/.minara if you later decide not to use it.
If you want a stricter assessment, provide the npm package source (package.json, main code) or the upstream repository so I can check what code would be installed and whether the package contains unexpected network endpoints or unrelated credential usage.Like a lobster shell, security has layers — review code before you run it.
latestvk97e7g19xrm94jcbq2jbxpme3n84cs8g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
👩 Clawdis
Binsminara
Configskills.entries.minara.enabled
Primary envMINARA_API_KEY
Install
Install Minara CLI (npm)
Bins: minara
npm i -g minara@latest