coinbase-openapi-skill
Warn
Audited by Snyk on Mar 29, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill instructs uxc to fetch the curated OpenAPI schema at runtime from https://raw.githubusercontent.com/holon-run/uxc/main/skills/coinbase-openapi-skill/references/coinbase-advanced-trade.openapi.json, and that externally-fetched JSON directly determines the CLI/API operation surface (controlling agent behavior) and is a required dependency.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to operate Coinbase Advanced Trade APIs, including authenticated account reads and high-risk write operations: notably post:/api/v3/brokerage/orders and post:/api/v3/brokerage/orders/batch_cancel. It includes explicit JWT bearer auth guidance (storing key_id and private_key, minting request-scoped JWTs) needed to sign and execute trades. These are direct crypto/market order execution capabilities (place/cancel orders), so the tool's primary and explicit purpose is to move financial assets.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata