ClawHub
Back to skill
v0.1.0

Zerion Api

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:22 AM.

Analysis

This instruction-only skill is coherent with its stated purpose, but users should notice that it requires a Zerion API key and routes wallet queries through Zerion’s remote MCP service.

GuidanceBefore installing, confirm you trust Zerion’s remote MCP service, use a dedicated API key, and avoid submitting wallet addresses or customer/competitor research that you do not want handled by that third-party provider.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
**Note**: API key required for authentication - get yours at https://developers.zerion.io

The skill requires a third-party API key. This is expected for Zerion API access and is disclosed, but users should treat the key as a credential and keep it scoped and revocable.

User impactAnyone configuring the skill will need to provide a Zerion API key that authorizes requests to Zerion’s service.
RecommendationUse a dedicated Zerion API key, store it only in the intended MCP configuration, rotate it if exposed, and avoid reusing credentials across services.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
**URL**: `https://developers.zerion.io/mcp`
**Type**: Remote HTTP MCP server

The skill uses a disclosed remote MCP server, so wallet addresses and related query context may be sent to Zerion. This is aligned with the skill’s purpose, but users should understand the external data flow.

User impactQueries about wallet addresses, portfolios, transactions, or customer/competitor research may be visible to the Zerion service handling the MCP request.
RecommendationOnly query wallet addresses you are comfortable sending to Zerion, and review Zerion’s API terms and privacy practices for sensitive business or customer research.