← Back to Skills Marketplace
781
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install upbit-market-data-skill
Description
Fetch market data from Upbit via CLI commands including pairs, candles, trades, tickers, orderbooks, and watchlist with JSON output.
Usage Guidance
This skill appears to do what it says: a Node.js CLI that calls Upbit's public market endpoints and outputs JSON. Before installing or running it: 1) place any Upbit accessKey/secretKey only in a secure local config file (config/config.json) and avoid committing that file to VCS; the skill will read that file if you include keys. 2) If you do not need authenticated endpoints, you can leave the keys empty — the included market-data calls are public. 3) Be careful when overriding config with --config: pointing the tool at a file you don't control could expose secrets in that file to the process. 4) Verify the config.baseUrl if you change it — pointing it to a non-Upbit host would send requests (and any signed token) to that host. 5) The presence of JWT signing code is expected for authenticated Upbit APIs but is not used by the existing public endpoints; this is a minor inconsistency but not malicious.
Capability Analysis
Type: OpenClaw Skill
Name: upbit-market-data-skill
Version: 1.0.2
The skill exhibits significant vulnerabilities, specifically a Local File Inclusion (LFI) risk in `src/config.js` where the configuration file path can be overridden via `--config` or `UPBIT_SKILL_CONFIG` environment variable, allowing the skill to read arbitrary local files. Additionally, there is a Server-Side Request Forgery (SSRF) risk in `src/upbit/client.js` as the `baseUrl` is loaded from the config without validation and used directly in `fetch`, potentially allowing an attacker to make the skill send requests to internal network resources. While these are critical flaws, they are vulnerabilities that *allow* attacks rather than code *designed* for malicious actions like data exfiltration or persistence, thus classifying it as suspicious.
Capability Assessment
Purpose & Capability
Name/description (fetch Upbit market data) matches the code and SKILL.md: the CLI implements pairs, candles, trades, tickers, orderbooks, and a watchlist. The presence of an auth helper and config fields for accessKey/secretKey is reasonable for an API client even though market-data endpoints are public.
Instruction Scope
Runtime instructions are focused on running the CLI and creating a local config/config.json; the skill reads only that config (or an override path supplied via --config / UPBIT_SKILL_CONFIG). No instructions ask the agent to read unrelated files or exfiltrate data. Note: SKILL.md tells the user to store accessKey/secretKey in the config file — those are secrets kept in a local file and will be read by the skill.
Install Mechanism
This is an instruction-only skill with a package.json and source files; installation is a standard npm install of well-known packages (jsonwebtoken, uuid). There are no downloads from arbitrary URLs or extract steps in the manifest.
Credentials
The skill does not require environment credentials; it expects a local config JSON containing optional Upbit accessKey/secretKey and an optional baseUrl. That is proportionate for a client that may sign requests. Minor inconsistency: the code includes JWT signing (auth.js) and requests API keys in the config, but the provided market-data endpoints in endpoints.js call request() without authRequired=true, so authenticated signing is unused for the included public endpoints.
Persistence & Privilege
The skill does not request persistent installation privileges (always:false), does not modify other skills or system-wide settings, and only reads a config file path (or the path passed via --config). It sets UPBIT_SKILL_CONFIG only for the running process when --config is used.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install upbit-market-data-skill - After installation, invoke the skill by name or use
/upbit-market-data-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
SKILL.md Content Details Description
v1.0.1
Improves poorly handled CLI parsing
v1.0.0
- Initial release of Upbit Market Data Skill for OpenClaw.
- Provides CLI commands to fetch Upbit market/quotation data: trading pairs, candles (all intervals), recent trades, tickers, and orderbooks.
- Outputs standardized JSON for both success and error cases, suitable for automation.
- Supports customizable configuration, watchlists, and error/rate limit handling.
- Requires Node.js 18+ and npm for installation and use.
Metadata
Frequently Asked Questions
What is UPBIT market data get skill?
Fetch market data from Upbit via CLI commands including pairs, candles, trades, tickers, orderbooks, and watchlist with JSON output. It is an AI Agent Skill for Claude Code / OpenClaw, with 781 downloads so far.
How do I install UPBIT market data get skill?
Run "/install upbit-market-data-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is UPBIT market data get skill free?
Yes, UPBIT market data get skill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does UPBIT market data get skill support?
UPBIT market data get skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created UPBIT market data get skill?
It is built and maintained by kuns9 (@kuns9); the current version is v1.0.2.
More Skills