← Back to Skills Marketplace
gabriel-0110

Kraken CLI

by Gabriel Chiappa · GitHub ↗ · v1.2.0 · MIT-0
cross-platform ⚠ suspicious
285
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install kraken-spot
Description
Use a Bash CLI to query Kraken Spot and Futures APIs, inspect account state, run guarded trading and funding actions, and work with Kraken websocket payloads...
README (SKILL.md)

OpenClaw Kraken

Use {baseDir}/bin/openclaw-kraken for Kraken Spot REST tasks.

Use when

  • The user wants Kraken market data.
  • The user wants Kraken account state from private REST endpoints.
  • The user wants guarded order placement, funding, earn, futures, subaccount, or websocket actions through a local Bash tool instead of ad hoc curl commands.

Rules

  • Never print API secrets, signatures, or raw auth headers.
  • Read secrets from the environment only. In OpenClaw, inject them via secret refs rather than plaintext config.
  • Refuse to run if required config is missing or malformed.
  • Use configured base URLs only. Do not accept arbitrary destination URLs.
  • Preserve stdout for API results; use --jq or --compact when structured formatting is needed.
  • Prefer read-only endpoints unless the user clearly asked for a state-changing action.
  • For state-changing aliases such as trading, withdrawal, earn allocation, or subaccount transfer operations, require --confirm.

Commands

  • market time
  • market ticker --pair XBTUSD
  • account balance
  • funding deposit-methods --asset ETH
  • earn strategies --ascending true
  • futures call market.tickers
  • ws spot-public --message-json '{"method":"ping"}'
  • orders add --pair XBTUSD --side buy --type limit --volume 0.01 --price 25000 --time-in-force GTC --post-only true --confirm
  • call funding.withdraw-info --asset ETH --key MyWallet --amount 0.5

Configuration

  • Non-secret config is read from environment or OPENCLAW_KRAKEN_CONFIG.
  • Secrets must be provided via environment variables that OpenClaw resolves from secret refs.
  • See {baseDir}/README.md for examples.
Usage Guidance
This appears to be a genuine Kraken CLI, but the published metadata is incomplete: the code needs KRAKEN_API_SECRET and futures API secrets (and may need node, base64, od, jq) even though the skill only declared KRAKEN_API_BASE_URL and KRAKEN_API_KEY. Before installing: (1) ask the publisher to update SKILL.md/registry metadata to list all required secret environment variables and runtime binaries; (2) confirm how OpenClaw will inject the additional secrets (KRAKEN_API_SECRET, KRAKEN_FUTURES_API_KEY/SECRET) as secret refs rather than plaintext; (3) if you will allow agent-autonomous invocation, ensure you trust the skill because it can place trades/withdraw funds (state-changing operations require --confirm but confirm behavior can be changed via KRAKEN_REQUIRE_CONFIRM); and (4) review included test files (they contain example secret strings) and ensure no real secrets are embedded. If you cannot obtain an updated, complete metadata manifest from the publisher, treat the skill as risky and avoid installing it into agents that have access to real exchange API credentials.
Capability Analysis
Type: OpenClaw Skill Name: kraken-spot Version: 1.2.0 The skill bundle is a well-structured and security-conscious Bash CLI for interacting with Kraken Spot and Futures APIs. It implements several protective measures, including automated redaction of API keys and signatures in stderr logs (lib/kraken_redact.sh), a local registry-based allow-list for API endpoints (config/endpoints.tsv), and mandatory confirmation flags for state-changing operations. The logic for authentication and request signing follows standard Kraken API specifications using openssl, and no evidence of data exfiltration, unauthorized network calls, or malicious prompt injection was found.
Capability Assessment
Purpose & Capability
The skill's name/description (Kraken Spot/Futures CLI) matches the code: the CLI implements public, private, futures, and websocket flows and will legitimately need Kraken API keys/secrets for private endpoints. However the registry metadata and SKILL.md only declare KRAKEN_API_BASE_URL and a primaryEnv KRAKEN_API_KEY; the implementation also requires KRAKEN_API_SECRET, KRAKEN_FUTURES_API_KEY, and KRAKEN_FUTURES_API_SECRET for private/futures calls. That mismatch between stated requirements and actual necessary credentials is an incoherence.
Instruction Scope
SKILL.md instructs the agent to run the local bin/openclaw-kraken CLI and to read secrets from environment (OpenClaw secret refs). The instructions themselves are scoped to Kraken APIs. The problem: the SKILL.md metadata omits several environment variables and runtime binaries that the code actually reads/uses (see environment_proportionality and install_mechanism). The code reads many env vars (KRAKEN_API_SECRET, KRAKEN_FUTURES_API_KEY/SECRET, KRAKEN_OTP, KRAKEN_REQUIRE_CONFIRM, etc.) and may invoke a Node websocket client; SKILL.md does not list those explicitly in the published requires block.
Install Mechanism
This skill is instruction-only in the registry (no remote install script), and all code is included in the bundle (no downloads from arbitrary URLs) — low install risk. Minor oddities: the CLI shebang points to /opt/homebrew/bin/bash (non-portable) and the skill includes a Node script (scripts/ws_client.mjs) but the metadata does not list node as a required runtime.
Credentials
Metadata declares only KRAKEN_API_BASE_URL and marks KRAKEN_API_KEY as primary, but the code requires additional secrets: KRAKEN_API_SECRET for private REST signing, plus KRAKEN_FUTURES_API_KEY and KRAKEN_FUTURES_API_SECRET for futures private endpoints. The code also expects utilities like base64 and od and may require jq for some output modes. The registry/metadata under-declares sensitive env vars and runtime dependencies, which is disproportionate and could lead to silent failures or unexpected secret exposure if the platform doesn't inject those secrets.
Persistence & Privilege
always:false and no special privileges requested. The skill does not request system-wide config changes or other skills' credentials. Autonomous invocation (disable-model-invocation:false) is the platform default; by itself this is not flagged, and here it does not combine with other escalation markers.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install kraken-spot
  3. After installation, invoke the skill by name or use /kraken-spot
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
Fix: include bin/openclaw-kraken and config/ that were dropped by clawhub publish bug; fix bash 4.2+ shebang for macOS
v1.1.0
Fork: include bin/openclaw-kraken and config/ missing from 1.0.0; fix bash shebang for macOS
Metadata
Slug kraken-spot
Version 1.2.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Kraken CLI?

Use a Bash CLI to query Kraken Spot and Futures APIs, inspect account state, run guarded trading and funding actions, and work with Kraken websocket payloads... It is an AI Agent Skill for Claude Code / OpenClaw, with 285 downloads so far.

How do I install Kraken CLI?

Run "/install kraken-spot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Kraken CLI free?

Yes, Kraken CLI is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Kraken CLI support?

Kraken CLI is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Kraken CLI?

It is built and maintained by Gabriel Chiappa (@gabriel-0110); the current version is v1.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments