by 安全扫描
OpenClaw
可疑
medium confidence该技能的代码与其声明的 Coinbase 交易用途一致,但在凭据请求/存储方式及元数据方面存在一致性问题,用户安装前应予以检查。
评估建议
What to check before installing: 1) Confirm the skill source and author — registry owner ID (kn7df...) does not match the _meta.json ownerId (@mtrab), which may indicate a copy/paste or provenance issue. 2) The registry metadata declares no credentials but the code requires an API key and a PEM private key file; ensure you provide keys only if you trust the author. 3) Prefer storing private keys in a secure location (environment variables or a secrets manager) rather than a plaintext file next t...详细分析 ▾
ℹ 用途与能力
The Python module implements Coinbase CDP API calls (balances, products, orders, fills) consistent with the skill description. However the registry metadata declares no required credentials or env vars, while the SKILL.md/README and the code require an API key and a PEM private key file — a mismatch between declared requirements and actual runtime needs.
ℹ 指令范围
Runtime instructions are narrowly scoped to Coinbase API usage (install cryptography/PyJWT, create .coinbase-api-key and .coinbase-api-secret files, call the provided functions). The instructions do not ask the agent to read unrelated system files or transmit data to non-Coinbase endpoints. Caveat: they require placing a private key file alongside the script, which raises local secrets-management concerns.
✓ 安装机制
This is an instruction-only skill with no install spec and no external binary downloads; risk from installation mechanism is low. Dependencies are standard Python packages (cryptography, PyJWT) noted in README.
⚠ 凭证需求
The skill needs two sensitive secrets (API key and private key PEM) but declares no required env vars or primary credential in the registry. The code reads credential files from the script directory (.coinbase-api-key and .coinbase-api-secret), which is reasonably minimal for the stated purpose but the absence of declared credentials in metadata is an incoherence that should be resolved. Storing an unencrypted private key in the repo directory is a potential security risk.
✓ 持久化与权限
The skill does not request always: true, does not modify other skills, and is user-invocable only. It does not request elevated persistent presence or system-wide changes.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/20
Coinbase Skill 1.0.0 – 新版本将技能从治理/风险分析助手转为面向开发者的交易 API 集成。 - 新增 Python API 函数,通过 Coinbase API 获取账户余额、产品信息、创建订单及查询订单历史。 - 需配置 API key/private key,并安装 cryptography 库以完成鉴权请求。 - 所有交易仅支持 EUR 交易对(如 BTC-EUR)。 - 已移除旧版的机构治理、记录保存与风险隔离文档。
● 无害
安装命令
点击复制官方npx clawhub@latest install openclaw-coinbase
镜像加速npx clawhub@latest install openclaw-coinbase --registry https://cn.longxiaskill.com