功能描述

Interacts with the BitSkins REST API V2 and WebSocket API for CS2/Dota 2 skin trading. Supports account management, market search, buying, selling, listing, delisting, relisting, price updates, Steam inventory/deposits/trades, wallet operations, and real-time WebSocket subscriptions. Use when the user wants to search for skins, check prices, buy or sell items, manage their BitSkins account, check balances, or interact with the BitSkins marketplace.

使用说明 (SKILL.md)

BitSkins API Skill

Name: BitSkins
Author: bluesyparty-src

Authentication

All requests to the BitSkins API require authentication via the x-apikey header.

The API key must be set in the environment variable BITSKINS_API_KEY. The user can obtain their API key from BitSkins account settings after enabling API access.

Important: Some endpoints (wallet withdrawals, 2FA operations) also require a twofa_code parameter. Always ask the user for their 2FA code when calling these endpoints rather than storing it.

Base URL

https://api.bitskins.com

Making Requests

Use the helper script to make API calls:

bash bitskins-api/scripts/bitskins-api.sh \x3CMETHOD> \x3CPATH> [JSON_BODY]

Examples:

# GET request (no body)
bash bitskins-api/scripts/bitskins-api.sh GET /account/profile/me

# POST request with JSON body
bash bitskins-api/scripts/bitskins-api.sh POST /account/profile/balance

# POST with parameters
bash bitskins-api/scripts/bitskins-api.sh POST /market/search/730 '{"limit":10,"offset":0,"where":{}}'

Rate Limits

Global: 50 requests per 10 seconds
Market search (/market/search/*): 1 request per second
These limits are dynamic and may be reduced under heavy server load.

Request Format

The API accepts JSON format
GET requests: no body required
POST requests: JSON body with required parameters

Response Format

All responses are JSON. Successful responses contain the data directly. Error responses include error codes documented in references/api-endpoints.md.

API Sections Overview

The API is organized into the following sections. See references/api-endpoints.md for the full endpoint reference.

Account

Profile: Get session info, balance, update account settings, update trade link, block account
Affiliate: Get affiliate info, claim money, view reward history, set affiliate code
2FA: Create, verify, disable, lock/unlock two-factor authentication
API Access: Create or disable API keys

Config

Currency rates: Get current exchange rates
Fee plans: Get available fee plans
Platform status: Check if platform is operational

Market (CS2 app_id=730, Dota 2 app_id=570)

Pricing: Get sales history, pricing summaries
Search: Browse CS2/Dota 2 markets, search own items, get item details, search by skin name, get filters
Buy: Buy single item, multiple items, or bulk buy
Withdraw: Withdraw single or multiple purchased items to Steam
Delist: Remove single or multiple items from sale
Relist: Relist single or multiple delisted items
Update price: Change price on single or multiple listed items
History: View item transaction history
Receipt: Get purchase receipt
Bump: Bump items for visibility, manage bump settings, buy bump packages
Skins catalog: Get all available skin names for a game
In-sell items: Get all currently listed items for a game

Steam

Inventory: List Steam inventory items
Deposit: Deposit items from Steam to BitSkins
Trades: View Steam trade offers and their status

Wallet

Stats: Get wallet statistics, KYC limits
Transactions: List completed and pending transactions
Reports: Generate and download wallet reports

Wallet Deposit

Binance Pay: Create Binance Pay deposit
Cryptocurrency: Get deposit addresses for BTC, LTC, ETH
Gift codes: Redeem gift codes, view used codes
Zen: Create Zen deposit
Card (Unlimint): Add cards, list cards, deposit via card

Wallet Withdraw

Cryptocurrency: Withdraw to BTC, LTC, ETH addresses
Binance Pay: Withdraw via Binance Pay
Card (Unlimint): Withdraw to Visa card

WebSocket

Real-time updates via wss://ws.bitskins.com. See references/websocket.md for details.

Common Patterns

Searching the Market

The market search endpoints accept where objects for filtering and support limit/offset pagination:

{
  "limit": 20,
  "offset": 0,
  "order": [{"field": "price", "order": "ASC"}],
  "where": {
    "skin_name": ["AK-47 | Redline"],
    "price_from": 1000,
    "price_to": 5000
  }
}

Note: Prices are in cents (e.g., 1000 = $10.00).

Buying Items

To buy an item, you need its id and app_id. Use market search to find items, then:

{"app_id": 730, "id": "ITEM_ID", "max_price": 1500}

The max_price parameter protects against price changes between search and purchase.

Listing/Depositing Items

Get Steam inventory: POST /steam/inventory/list
Deposit items: POST /steam/deposit/many with item IDs and prices
Monitor trade status: POST /steam/trade/active

Withdrawing Purchased Items

After buying, withdraw to Steam:

{"app_id": 730, "id": "ITEM_ID"}

Important Notes

Always confirm with the user before executing buy, sell, withdraw, or any financial operation
Prices are in cents (integer values)
Game IDs: CS2 = 730, Dota 2 = 570
The where_mine filter on "mine" endpoints accepts: listed, pending_withdrawal, in_queue, given, need_to_withdraw
2FA codes are time-sensitive; always request fresh codes from the user

安全使用建议

This skill mostly does what it says (wraps the BitSkins REST and WebSocket APIs), but there are a few red flags you should address before using it with real funds or account keys: - Provenance: the package has no homepage or source URL. Ask the publisher for the code origin or prefer a skill published by a known/verified author. - Declared vs. actual requirements: the registry metadata lists no required env vars or binaries, but SKILL.md and scripts require BITSKINS_API_KEY and depend on curl (and optionally jq). Do not set an API key until the metadata is corrected. - Secrets handling: the helper script sends your API key in the x-apikey header; ensure your platform stores the key in a secure secret store (not a global shell profile). Prefer creating a scoped/ephemeral API key on BitSkins with minimal permissions for testing. - Test-read only first: start by calling non-destructive endpoints (e.g., GET /config/status/get or market search) to confirm behavior before attempting buys, withdrawals, or wallet operations. - Verify binaries and environment: confirm curl is available (the script will fail otherwise) and jq is present if you want pretty output. Ask the author to list these in the skill metadata so automated checks can validate runtime prerequisites. - Confirm 2FA workflow: the skill correctly requests fresh 2FA codes for sensitive endpoints — never allow the skill to store persistent 2FA codes. - Ask for an updated package: request that the publisher update registry metadata to declare BITSKINS_API_KEY as required, list required binaries, and provide a homepage or source repository. If they cannot or will not, treat the skill as untrusted. If you decide to proceed temporarily, use an account with no balance or an API key with limited permissions, and avoid any real financial or withdrawal actions until provenance and metadata are fixed.

功能分析

Type: OpenClaw Skill Name: bitskins Version: 1.0.0 The skill provides a shell script to interact with the BitSkins API, enabling direct financial transactions (buy, sell, withdraw, deposit) and account management for CS2/Dota 2 skins. While these are inherently high-risk capabilities, the `SKILL.md` explicitly instructs the AI agent to "Always confirm with the user before executing buy, sell, withdraw, or any financial operation", which acts as a critical safeguard against unauthorized actions. The `BITSKINS_API_KEY` is handled securely via environment variables and passed in HTTP headers to the legitimate `api.bitskins.com` domain, with no evidence of exfiltration or malicious execution. The classification is suspicious due to the significant financial capabilities and potential impact of misuse, even with the implemented safeguards, rather than clear malicious intent.

能力评估

⚠ Purpose & Capability

The SKILL.md, reference docs, and helper script all align with a BitSkins marketplace integration (market search, buy/sell, wallet, Steam interactions, WebSocket subscriptions). However the registry metadata lists no required environment variables or credentials while the SKILL.md and the shipped script require BITSKINS_API_KEY; that mismatch is incoherent and should be corrected. The skill has no homepage/source URL, so provenance is unknown.

⚠ Instruction Scope

Runtime instructions are narrowly scoped to calling BitSkins endpoints and WebSocket channels and correctly warn to confirm financial operations and request fresh 2FA codes. However the instructions reference an environment variable (BITSKINS_API_KEY) and rely on curl/jq, yet the registry did not declare these requirements — the SKILL.md and script expect secrets and binaries that were not advertised, which is scope/inventory mismatch.

✓ Install Mechanism

There is no install spec (instruction-only with a small helper script). This is low-risk from an install/download standpoint — nothing is fetched from arbitrary URLs or written to disk by an installer.

⚠ Credentials

The only credential required by the script is a BitSkins API key (appropriate for this integration), which is proportionate to the stated purpose. But the registry metadata failed to declare it (and the 'Required env vars' earlier shows none). The skill also implicitly requires curl (and optionally jq) but did not declare required binaries — an omission that affects security review and user expectations.

✓ Persistence & Privilege

The skill does not request persistent privileges, 'always' is false, it does not modify system or other skill configs, and it does not demand persistent background access. Normal autonomous invocation is allowed (platform default).

版本历史

v1.0.0

Initial release of BitSkins API skill. - Enables interaction with BitSkins REST and WebSocket APIs for CS2/Dota 2 skin trading. - Supports user authentication, account management, searching the market, buying/selling items, and managing deposits/withdrawals. - Includes wallet operations, KYC, transaction history, and reports. - Provides Steam inventory integration and real-time marketplace updates via WebSocket. - Requires a BitSkins API key (via environment variable) and 2FA codes for sensitive actions. - Includes clear examples and guidelines for using each core API endpoint.

元数据

Slug bitskins

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

BitSkins 是什么？

Interacts with the BitSkins REST API V2 and WebSocket API for CS2/Dota 2 skin trading. Supports account management, market search, buying, selling, listing, delisting, relisting, price updates, Steam inventory/deposits/trades, wallet operations, and real-time WebSocket subscriptions. Use when the user wants to search for skins, check prices, buy or sell items, manage their BitSkins account, check balances, or interact with the BitSkins marketplace. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1049 次。

如何安装 BitSkins？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install bitskins」即可一键安装，无需额外配置。

BitSkins 是免费的吗？

是的，BitSkins 完全免费（开源免费），可自由下载、安装和使用。

BitSkins 支持哪些平台？

BitSkins 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 BitSkins？

由 bluesyparty-src（@bluesyparty-src）开发并维护，当前版本 v1.0.0。

BitSkins