UPBIT market data get skill

Fetch market data from Upbit via CLI commands including pairs, candles, trades, tickers, orderbooks, and watchlist with JSON output.

This skill appears to do what it says: a Node.js CLI that calls Upbit's public market endpoints and outputs JSON. Before installing or running it: 1) place any Upbit accessKey/secretKey only in a secure local config file (config/config.json) and avoid committing that file to VCS; the skill will read that file if you include keys. 2) If you do not need authenticated endpoints, you can leave the keys empty — the included market-data calls are public. 3) Be careful when overriding config with --config: pointing the tool at a file you don't control could expose secrets in that file to the process. 4) Verify the config.baseUrl if you change it — pointing it to a non-Upbit host would send requests (and any signed token) to that host. 5) The presence of JWT signing code is expected for authenticated Upbit APIs but is not used by the existing public endpoints; this is a minor inconsistency but not malicious.

Type: OpenClaw Skill Name: upbit-market-data-skill Version: 1.0.2 The skill exhibits significant vulnerabilities, specifically a Local File Inclusion (LFI) risk in `src/config.js` where the configuration file path can be overridden via `--config` or `UPBIT_SKILL_CONFIG` environment variable, allowing the skill to read arbitrary local files. Additionally, there is a Server-Side Request Forgery (SSRF) risk in `src/upbit/client.js` as the `baseUrl` is loaded from the config without validation and used directly in `fetch`, potentially allowing an attacker to make the skill send requests to internal network resources. While these are critical flaws, they are vulnerabilities that *allow* attacks rather than code *designed* for malicious actions like data exfiltration or persistence, thus classifying it as suspicious.