Kraken CLI

The skill's name/description (Kraken Spot/Futures CLI) matches the code: the CLI implements public, private, futures, and websocket flows and will legitimately need Kraken API keys/secrets for private endpoints. However the registry metadata and SKILL.md only declare KRAKEN_API_BASE_URL and a primaryEnv KRAKEN_API_KEY; the implementation also requires KRAKEN_API_SECRET, KRAKEN_FUTURES_API_KEY, and KRAKEN_FUTURES_API_SECRET for private/futures calls. That mismatch between stated requirements and actual necessary credentials is an incoherence.

SKILL.md instructs the agent to run the local bin/openclaw-kraken CLI and to read secrets from environment (OpenClaw secret refs). The instructions themselves are scoped to Kraken APIs. The problem: the SKILL.md metadata omits several environment variables and runtime binaries that the code actually reads/uses (see environment_proportionality and install_mechanism). The code reads many env vars (KRAKEN_API_SECRET, KRAKEN_FUTURES_API_KEY/SECRET, KRAKEN_OTP, KRAKEN_REQUIRE_CONFIRM, etc.) and may invoke a Node websocket client; SKILL.md does not list those explicitly in the published requires block.

This skill is instruction-only in the registry (no remote install script), and all code is included in the bundle (no downloads from arbitrary URLs) — low install risk. Minor oddities: the CLI shebang points to /opt/homebrew/bin/bash (non-portable) and the skill includes a Node script (scripts/ws_client.mjs) but the metadata does not list node as a required runtime.

Metadata declares only KRAKEN_API_BASE_URL and marks KRAKEN_API_KEY as primary, but the code requires additional secrets: KRAKEN_API_SECRET for private REST signing, plus KRAKEN_FUTURES_API_KEY and KRAKEN_FUTURES_API_SECRET for futures private endpoints. The code also expects utilities like base64 and od and may require jq for some output modes. The registry/metadata under-declares sensitive env vars and runtime dependencies, which is disproportionate and could lead to silent failures or unexpected secret exposure if the platform doesn't inject those secrets.

always:false and no special privileges requested. The skill does not request system-wide config changes or other skills' credentials. Autonomous invocation (disable-model-invocation:false) is the platform default; by itself this is not flagged, and here it does not combine with other escalation markers.