0xArchive
PassAudited by ClawScan on May 8, 2026.
Overview
The skill appears to be a read-only 0xArchive market-data helper that uses Bash/curl and a provider API key, with no artifact-backed malicious behavior shown.
Install this if you want an agent to query 0xArchive market data. Provide only the OXARCHIVE_API_KEY needed for this service, review any Bash commands before execution, and do not provide wallet or trading credentials unless you separately verify a complete documented need.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run shell commands to contact the 0xArchive API; misuse could run commands outside the intended market-data queries.
The skill grants Bash access so the agent can run curl requests. This matches the stated API-query purpose, but Bash is broader than a narrowly scoped API client.
allowed-tools: Bash ... Query historical and real-time crypto market data from **0xArchive** using `curl`.
Use the skill for user-requested 0xArchive lookups and review any proposed Bash command that goes beyond curl requests to api.0xarchive.io.
The agent will use your 0xArchive API key when making API requests.
The skill requires a provider API key and sends it as an authentication header. This is expected for the service and no artifact shows unrelated use, logging, or exfiltration.
All endpoints require the `x-api-key` header. The key is read from `$OXARCHIVE_API_KEY`.
Use a scoped, rotatable 0xArchive key and confirm requests are only sent to the intended 0xArchive API endpoint.