ClawHub
Back to skill
v0.1.0

Dappier

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:27 AM.

Analysis

The skill is a straightforward Dappier API wrapper; it uses your Dappier API key and sends requested searches, including any addresses you provide, to Dappier with no hidden install, persistence, or local data access shown.

GuidanceInstall if you are comfortable providing a Dappier API key and sending the queries you ask it to run to Dappier. Prefer a dedicated API key, avoid sensitive personal queries unless intended, and treat returned search/news/model content as untrusted information rather than instructions.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/realtime-search.mjs
const apiKey = (process.env.DAPPIER_API_KEY ?? "").trim(); ... Authorization: `Bearer ${apiKey}`

The skill reads the declared Dappier API key and sends it as an authorization token for API requests, giving the skill authority to use that Dappier key/account.

User impactYour Dappier account or quota can be used whenever the agent invokes these tools.
RecommendationUse a dedicated, revocable Dappier API key, avoid exposing it in prompts or logs, and monitor or rotate it if needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/stellar-ai.mjs
Usage: stellar-ai.mjs "residential home address" ... body: JSON.stringify({ query })

The Stellar AI tool is documented to accept a residential address and the script posts the user-supplied query to Dappier, creating an external provider data flow.

User impactSearch terms, tickers, and addresses you provide may be sent to Dappier for processing.
RecommendationOnly submit personal locations or sensitive queries when you are comfortable sharing them with Dappier; review Dappier’s privacy and retention terms if that matters for your use case.
Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
scripts/realtime-search.mjs
const message = String(data?.message ?? "").trim(); ... console.log(message);

Remote search/model output is printed directly into the agent’s context as result text; this is expected, but retrieved content can be misleading or instruction-like.

User impactReturned web or news content could influence later agent responses if treated as authoritative instructions rather than search results.
RecommendationTreat Dappier results as untrusted reference material: verify important facts and ignore any instructions embedded in returned content.