ClawHub

Zerion Api

v0.1.0

Access real-time crypto wallet portfolios, transactions, DeFi positions, token prices, NFTs, and gas fees across EVM chains and Solana via Zerion API.

0· 1.2k·0 current·0 all-time
by@abishekdharshan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires a Zerion API key to query wallet, price, and DeFi data, but the registry metadata lists no required environment variables or primary credential. The skill's stated purpose (calling Zerion MCP) is reasonable, but the required secret is not declared in the manifest, which is an incoherence the user should be aware of.
Instruction Scope
The runtime instructions are narrowly scoped to querying the remote Zerion MCP endpoint and give example queries and a JSON snippet for MCP config. They do not instruct the agent to read unrelated local files or exfiltrate arbitrary data. However, the instructions are vague about where the API key should be stored (registry-level requires.env is empty) and how secrets are protected.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer — the install surface is minimal and low-risk.
!
Credentials
Although the service legitimately needs an API key, the skill manifest does not declare any required env vars or a primary credential. That omission makes it unclear how the agent will obtain or store the API key; the lack of declared credential handling is disproportionate to the claimed functionality and increases risk.
Persistence & Privilege
The skill does not request always:true, does not declare config paths, and is user-invocable with normal autonomous invocation allowed. There is no evidence it attempts to modify other skills or request persistent system privileges.
What to consider before installing
This skill looks like a straightforward connector to Zerion's MCP API, but the manifest fails to declare the required API key. Before installing, confirm: (1) where and how the API key is provided to the agent (manifest requires.env or MCP config), (2) that you will use a least-privilege/read-only key (not any private wallet keys), (3) that the endpoint is the official developers.zerion.io URL shown in the SKILL.md, and (4) how the agent stores and protects the key (avoid cleartext in public config). If the author cannot clarify how credentials are handled, treat the skill cautiously or request an updated manifest that lists the required credential and secure storage guidance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dwjvk06s0651jfdwjmta30580k949

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments