0xArchive
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to be a read-only 0xArchive market-data helper that uses Bash/curl and a provider API key, with no artifact-backed malicious behavior shown.
Install this if you want an agent to query 0xArchive market data. Provide only the OXARCHIVE_API_KEY needed for this service, review any Bash commands before execution, and do not provide wallet or trading credentials unless you separately verify a complete documented need.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run shell commands to contact the 0xArchive API; misuse could run commands outside the intended market-data queries.
The skill grants Bash access so the agent can run curl requests. This matches the stated API-query purpose, but Bash is broader than a narrowly scoped API client.
allowed-tools: Bash ... Query historical and real-time crypto market data from **0xArchive** using `curl`.
Use the skill for user-requested 0xArchive lookups and review any proposed Bash command that goes beyond curl requests to api.0xarchive.io.
The agent will use your 0xArchive API key when making API requests.
The skill requires a provider API key and sends it as an authentication header. This is expected for the service and no artifact shows unrelated use, logging, or exfiltration.
All endpoints require the `x-api-key` header. The key is read from `$OXARCHIVE_API_KEY`.
Use a scoped, rotatable 0xArchive key and confirm requests are only sent to the intended 0xArchive API endpoint.