ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alchemy

v1.0.0

Alchemy — blockchain data, NFTs, token balances, transactions, gas prices, and webhooks.

0· 598·0 current·0 all-time
by@aiwithabidi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and the included Python CLI consistently target Alchemy blockchain APIs and request a single ALCHEMY_API_KEY credential. The operations implemented (balances, NFTs, transactions, logs, gas, etc.) match the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run the bundled Python CLI and only declares ALCHEMY_API_KEY. The CLI will try to read the requested variable from the environment and, if missing, will look up a .env file under WORKSPACE or the default ~/.openclaw/workspace/.env. That file-read behavior is not documented in SKILL.md and is an implementation detail you may want to know about.
Install Mechanism
This is instruction-only with no install spec; the skill ships a single Python script relying only on the stdlib. No external downloads or package installs are requested.
Credentials
Only ALCHEMY_API_KEY is required (declared as primaryEnv), which is proportionate for an Alchemy integration. However, the script also checks WORKSPACE (an undeclared env var) to locate a .env file and may read that file to obtain the key; this could expose where you keep other keys if you re-use a workspace .env file, so be cautious where secrets are stored.
Persistence & Privilege
The skill does not request always:true, does not modify system-wide configs, and has no install step that persists additional components. Autonomous invocation is allowed by default (normal for skills) but not coupled with elevated persistence.
Assessment
This skill appears to be what it claims: a small Python CLI that calls the Alchemy API and needs an ALCHEMY_API_KEY. Before installing, confirm you will provide a dedicated Alchemy API key (least privilege if possible). Be aware the script will, if the env var is not set, attempt to read a .env file under WORKSPACE or ~/.openclaw/workspace/.env to find the key — if you keep multiple secrets in that file, consider moving or isolating them. Review the script yourself if you want to check exact endpoints/parameters (there are a few minor bugs in string placeholders, but nothing that indicates malicious behavior). If you proceed, monitor and be ready to rotate the API key if you suspect leakage.

Like a lobster shell, security has layers — review code before you run it.

latestvk9719mvckskmp36g9bwmrjtpwd81dr3q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⛓️ Clawdis
EnvALCHEMY_API_KEY
Primary envALCHEMY_API_KEY

Comments