← 返回 Skills 市场

Kraken CLI

Name: Kraken CLI
Author: gabriel-0110

作者 Gabriel Chiappa · GitHub ↗ · v1.2.0 · MIT-0

cross-platform ⚠ suspicious

285

总下载

当前安装

版本数

在 OpenClaw 中安装

/install kraken-spot

功能描述

Use a Bash CLI to query Kraken Spot and Futures APIs, inspect account state, run guarded trading and funding actions, and work with Kraken websocket payloads...

使用说明 (SKILL.md)

OpenClaw Kraken

Use {baseDir}/bin/openclaw-kraken for Kraken Spot REST tasks.

Use when

The user wants Kraken market data.
The user wants Kraken account state from private REST endpoints.
The user wants guarded order placement, funding, earn, futures, subaccount, or websocket actions through a local Bash tool instead of ad hoc curl commands.

Rules

Never print API secrets, signatures, or raw auth headers.
Read secrets from the environment only. In OpenClaw, inject them via secret refs rather than plaintext config.
Refuse to run if required config is missing or malformed.
Use configured base URLs only. Do not accept arbitrary destination URLs.
Preserve stdout for API results; use --jq or --compact when structured formatting is needed.
Prefer read-only endpoints unless the user clearly asked for a state-changing action.
For state-changing aliases such as trading, withdrawal, earn allocation, or subaccount transfer operations, require --confirm.

Commands

market time
market ticker --pair XBTUSD
account balance
funding deposit-methods --asset ETH
earn strategies --ascending true
futures call market.tickers
ws spot-public --message-json '{"method":"ping"}'
orders add --pair XBTUSD --side buy --type limit --volume 0.01 --price 25000 --time-in-force GTC --post-only true --confirm
call funding.withdraw-info --asset ETH --key MyWallet --amount 0.5

Configuration

Non-secret config is read from environment or OPENCLAW_KRAKEN_CONFIG.
Secrets must be provided via environment variables that OpenClaw resolves from secret refs.
See {baseDir}/README.md for examples.

安全使用建议

This appears to be a genuine Kraken CLI, but the published metadata is incomplete: the code needs KRAKEN_API_SECRET and futures API secrets (and may need node, base64, od, jq) even though the skill only declared KRAKEN_API_BASE_URL and KRAKEN_API_KEY. Before installing: (1) ask the publisher to update SKILL.md/registry metadata to list all required secret environment variables and runtime binaries; (2) confirm how OpenClaw will inject the additional secrets (KRAKEN_API_SECRET, KRAKEN_FUTURES_API_KEY/SECRET) as secret refs rather than plaintext; (3) if you will allow agent-autonomous invocation, ensure you trust the skill because it can place trades/withdraw funds (state-changing operations require --confirm but confirm behavior can be changed via KRAKEN_REQUIRE_CONFIRM); and (4) review included test files (they contain example secret strings) and ensure no real secrets are embedded. If you cannot obtain an updated, complete metadata manifest from the publisher, treat the skill as risky and avoid installing it into agents that have access to real exchange API credentials.

功能分析

Type: OpenClaw Skill Name: kraken-spot Version: 1.2.0 The skill bundle is a well-structured and security-conscious Bash CLI for interacting with Kraken Spot and Futures APIs. It implements several protective measures, including automated redaction of API keys and signatures in stderr logs (lib/kraken_redact.sh), a local registry-based allow-list for API endpoints (config/endpoints.tsv), and mandatory confirmation flags for state-changing operations. The logic for authentication and request signing follows standard Kraken API specifications using openssl, and no evidence of data exfiltration, unauthorized network calls, or malicious prompt injection was found.

能力评估

⚠ Purpose & Capability

The skill's name/description (Kraken Spot/Futures CLI) matches the code: the CLI implements public, private, futures, and websocket flows and will legitimately need Kraken API keys/secrets for private endpoints. However the registry metadata and SKILL.md only declare KRAKEN_API_BASE_URL and a primaryEnv KRAKEN_API_KEY; the implementation also requires KRAKEN_API_SECRET, KRAKEN_FUTURES_API_KEY, and KRAKEN_FUTURES_API_SECRET for private/futures calls. That mismatch between stated requirements and actual necessary credentials is an incoherence.

⚠ Instruction Scope

SKILL.md instructs the agent to run the local bin/openclaw-kraken CLI and to read secrets from environment (OpenClaw secret refs). The instructions themselves are scoped to Kraken APIs. The problem: the SKILL.md metadata omits several environment variables and runtime binaries that the code actually reads/uses (see environment_proportionality and install_mechanism). The code reads many env vars (KRAKEN_API_SECRET, KRAKEN_FUTURES_API_KEY/SECRET, KRAKEN_OTP, KRAKEN_REQUIRE_CONFIRM, etc.) and may invoke a Node websocket client; SKILL.md does not list those explicitly in the published requires block.

ℹ Install Mechanism

This skill is instruction-only in the registry (no remote install script), and all code is included in the bundle (no downloads from arbitrary URLs) — low install risk. Minor oddities: the CLI shebang points to /opt/homebrew/bin/bash (non-portable) and the skill includes a Node script (scripts/ws_client.mjs) but the metadata does not list node as a required runtime.

⚠ Credentials

Metadata declares only KRAKEN_API_BASE_URL and marks KRAKEN_API_KEY as primary, but the code requires additional secrets: KRAKEN_API_SECRET for private REST signing, plus KRAKEN_FUTURES_API_KEY and KRAKEN_FUTURES_API_SECRET for futures private endpoints. The code also expects utilities like base64 and od and may require jq for some output modes. The registry/metadata under-declares sensitive env vars and runtime dependencies, which is disproportionate and could lead to silent failures or unexpected secret exposure if the platform doesn't inject those secrets.

✓ Persistence & Privilege

always:false and no special privileges requested. The skill does not request system-wide config changes or other skills' credentials. Autonomous invocation (disable-model-invocation:false) is the platform default; by itself this is not flagged, and here it does not combine with other escalation markers.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install kraken-spot
安装完成后，直接呼叫该 Skill 的名称或使用 /kraken-spot 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.2.0

Fix: include bin/openclaw-kraken and config/ that were dropped by clawhub publish bug; fix bash 4.2+ shebang for macOS

v1.1.0

Fork: include bin/openclaw-kraken and config/ missing from 1.0.0; fix bash shebang for macOS

元数据

Slug kraken-spot

版本 1.2.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题

Kraken CLI 是什么？

Use a Bash CLI to query Kraken Spot and Futures APIs, inspect account state, run guarded trading and funding actions, and work with Kraken websocket payloads... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 285 次。

如何安装 Kraken CLI？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install kraken-spot」即可一键安装，无需额外配置。

Kraken CLI 是免费的吗？

是的，Kraken CLI 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Kraken CLI 支持哪些平台？

Kraken CLI 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Kraken CLI？

由 Gabriel Chiappa（@gabriel-0110）开发并维护，当前版本 v1.2.0。