Fetches cryptocurrency market data, prices, technical analysis, news, and trends using the CoinMarketCap MCP. Use for ANY question involving cryptocurrencies...
Security Analysis
medium confidenceThe skill’s purpose and runtime instructions (using CoinMarketCap MCP and an API key) are coherent, but there are inconsistencies between the SKILL.md and the registry metadata and the skill is written to aggressively fetch data for any crypto mention — review API-key handling, triggers, and privacy/rate-limit implications before installing.
The skill's declared functionality (fetching CMC market data via MCP tools) aligns with the tools listed in SKILL.md and the required CoinMarketCap API key; however the registry metadata provided with the skill notes 'Required env vars: none' and 'Primary credential: none' while SKILL.md clearly declares a required credential (X-CMC-MCP-API-KEY). This metadata mismatch is inconsistent and should be corrected/clarified.
SKILL.md contains explicit, narrow instructions for which MCP tools to call for particular data types and how to handle errors. However, it also instructs the agent to 'use for ANY question involving cryptocurrencies... even if the user doesn't explicitly ask for data' and to 'err on the side of fetching more data.' That is aggressive: it may cause frequent external API calls for incidental mentions, increasing privacy exposure and rate-limit / cost risk. The instructions do not request unrelated system files or secrets.
Instruction-only skill with no install spec and no code files — lowest install risk. The runtime surface is the platform's tool invocation, not downloaded code. No suspicious download or extract behavior is present.
SKILL.md requires a CoinMarketCap MCP API key (X-CMC-MCP-API-KEY) and shows storing it in an mcpServers configuration entry. That credential is appropriate for the stated purpose. The concern is the registry metadata/requirements in the skill listing do not reflect this (they show no required env/primary credential), creating an ambiguity about where/how the key is expected to be provided and stored. Also, because the skill encourages broad/autonomous use, the API key could be used frequently — check key permissions, quotas, and monitoring.
always is false (good). The SKILL.md references storing the API key in agent settings (mcpServers), which implies the skill expects to read/write its own config; that's normal. The combination of autonomous invocation (platform default) with the skill's broad trigger rules is notable — if you want to limit external calls, require explicit user consent before each external API usage or restrict triggers.
Guidance
What to check before installing: - Confirm the registry metadata vs SKILL.md: SKILL.md requires a CoinMarketCap MCP API key (X-CMC-MCP-API-KEY). Make sure the platform will prompt for and securely store that key (mcpServers), and fix the metadata mismatch. - Review how/when the skill is invoked: SKILL.md says to trigger on any crypto mention and to 'fetch more data' by default — this may cause many external API calls, exposing user queries to CoinMarketCap and consuming API quota or incurring costs. Consider requiring explicit user permission before calls for incidental mentions. - Limit API-key permissions and monitor usage: use a key with minimal necessary scopes, check rate limits, and enable monitoring/alerts on the account so unexpected use is detected quickly. - Privacy and data exposure: be aware that user queries and any data sent to MCP will go to CoinMarketCap. If you handle sensitive portfolio or account info, consider whether sending it to the third-party API is acceptable. - If you need higher assurance: ask the maintainer (repo/homepage) to update the skill listing to declare required credentials in registry metadata and to document exactly how the key is stored and when the skill will call external tools. That clarification would raise confidence.
Latest Release
v1.0.3
- Added homepage and source fields to the skill metadata for improved discoverability and transparency. - No changes to skill logic or functionality.
Popular Skills
Published by @bryan-cmc on ClawHub
