← Back to Skills Marketplace

Coinank Openapi Skill

Name: Coinank Openapi Skill
Author: a4205586

by a4205586 · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

447

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install coinank-openapi-skill

Description

call coinank openapi to get data

README (SKILL.md)

权限声明

SECURITY MANIFEST:

- Allowed to read: {baseDir}/references/*.json

- Allowed to make network requests to: https://open-api.coinank.com

工作流 (按需加载模式)

当用户提出请求时，请严格执行以下步骤：

目录索引：首先扫描 {baseDir}/references/ 目录下的所有文件名，确定哪些 OpenAPI 定义文件与用户需求相关。
精准读取：仅读取选定的 .json 文件，分析其 paths、parameters 和 requestBody。其中paths内是一个对象,对象的key就是path
构造请求：使用 curl 执行请求。
- Base URL: 统一使用 https://open-api.coinank.com（或从 JSON 的 servers 字段提取）。
- Auth: 从环境变量 COINANK_API_KEY 中获取 apikey 注入 Header。
- 如果参数有endTime,尽量传入最新的毫秒级时间戳
- OpenAPI文档内的时间戳都是示例.如果用户没有指定时间,请使用最新的时间和毫秒级时间戳

注意事项

禁止全量加载：除非用户请求涉及多个领域，否则禁止同时读取多个 JSON 文件。
参数校验：在发起请求前，必须根据 OpenAPI 定义验证必填参数是否齐全。

Usage Guidance

This skill appears coherent: it needs your CoinAnk API key to call CoinAnk endpoints and uses only the included OpenAPI specs. Before installing, confirm you trust coinank.com and that the API key you provide has only the necessary read privileges (avoid providing a more-privileged key). Consider rotating the key if you stop using the skill. Because the skill can make network requests to the CoinAnk domain, do not supply high-privilege or multi-service credentials; verify any returned data before acting on it.

Capability Analysis

Type: OpenClaw Skill Name: coinank-openapi-skill Version: 1.0.0 The skill bundle is classified as suspicious due to a high risk of shell injection vulnerability. The `SKILL.md` explicitly instructs the AI agent to "使用 curl 执行请求" (execute request using curl). While the target domain `https://open-api.coinank.com` is whitelisted, many API parameters defined in the `references/*.openapi.json` files are user-controlled strings (e.g., `symbol`, `exchange`, `interval`, `sortBy`, `amount`, `search`). If the AI agent constructs the `curl` command by directly interpolating these user-controlled inputs without proper shell escaping, an attacker could inject arbitrary shell commands, leading to remote code execution on the host system. This represents a critical vulnerability, even though the skill bundle itself does not contain explicit malicious payloads.

Capability Assessment

✓ Purpose & Capability

Name/description state: call CoinAnk OpenAPI. Declared requirement: COINANK_API_KEY. Files are OpenAPI JSONs for CoinAnk endpoints. All requested resources (OpenAPI files + API key) align with the stated purpose.

✓ Instruction Scope

SKILL.md limits actions to: index/read {baseDir}/references/*.json, validate parameters against those OpenAPI files, and make curl requests to https://open-api.coinank.com with apikey header. It does not instruct reading other system files or calling other external endpoints.

✓ Install Mechanism

No install spec and no code files — instruction-only. Nothing is downloaded or written to disk by the skill itself, minimizing install-time risk.

✓ Credentials

Only one env var is required (COINANK_API_KEY) and it is the primary credential used to authenticate to the CoinAnk API, which matches the skill's purpose. No unrelated secrets or config paths are requested.

✓ Persistence & Privilege

always is false and the skill does not request persistent system privileges or configuration changes. Autonomous invocation is allowed by platform default but is not combined with other concerning privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install coinank-openapi-skill
After installation, invoke the skill by name or use /coinank-openapi-skill
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of coinank-openapi-skill. - Allows secure access to coinank OpenAPI via https://open-api.coinank.com. - Requires environment variable COINANK_API_KEY for authentication. - Reads relevant OpenAPI JSON files on-demand from the `{baseDir}/references/` directory. - Validates required parameters against OpenAPI definitions before making requests. - Constructs requests using curl, with special handling for timestamps and headers. - Includes clear security and access restrictions for files and network access.

Metadata

Slug coinank-openapi-skill

Version 1.0.0

License —

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Coinank Openapi Skill?

call coinank openapi to get data. It is an AI Agent Skill for Claude Code / OpenClaw, with 447 downloads so far.

How do I install Coinank Openapi Skill?

Run "/install coinank-openapi-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Coinank Openapi Skill free?

Yes, Coinank Openapi Skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Coinank Openapi Skill support?

Coinank Openapi Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Coinank Openapi Skill?

It is built and maintained by a4205586 (@a4205586); the current version is v1.0.0.

More Skills