ClawHub

Onchain CLI

v0.3.0

CLI for crypto portfolio tracking, market data, CEX history, and transaction lookups. Use when the user asks about crypto prices, wallet balances, portfolio values, Coinbase/Binance holdings, Polymarket predictions, or transaction details.

1· 3.8k·8 current·10 all-time
by@arein
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The CLI's features (prices, wallet balances, CEX history, tx lookup, Polymarket) coherently explain the need for DeBank, Helius, Coinbase, Binance, Etherscan, Solscan, and market API keys. However, the registry metadata declares no required environment variables or credentials while SKILL.md/README clearly list several sensitive keys — an inconsistency between claimed manifest and actual capability.
Instruction Scope
SKILL.md limits actions to running the onchain CLI, guiding users to run an interactive setup, storing config at ~/.config/onchain/config.json5, and calling public APIs (CoinGecko, DeBank, Helius, Etherscan/Solscan, CEX APIs). There are no instructions to read unrelated system files or to transmit data to unexpected endpoints. The only scope creep is the agent-facing note (tell users to run setup/test) which is benign but gives the agent a procedural role.
Install Mechanism
This is an instruction-only skill (no install spec, no code files). README suggests installing via npm (package @cyberdrk/onchain) or npx, but the skill metadata did not include an install source or homepage. That means the agent/user must obtain the binary independently; verify the package/source before installing.
!
Credentials
SKILL.md and README enumerate multiple required and optional API keys (DEBANK_API_KEY, HELIUS_API_KEY, COINBASE/ BINANCE API keys and secrets, ETHERSCAN_API_KEY, SOLSCAN_API_KEY, COINGECKO/COINMARKETCAP). The registry metadata, however, lists no required env vars or primary credential. README and SKILL.md also use inconsistent variable names for Coinbase (different names in README vs SKILL.md). Requesting CEX API keys is plausible for CEX features but these are sensitive (can expose balances and trades) and the manifest should have declared them — omission and naming inconsistencies are a red flag.
Persistence & Privilege
The skill is not forced-always (always:false) and does not request elevated platform privileges. It stores configuration under the user's home config (~/.config/onchain/config.json5), which is typical for a CLI. There is no evidence the skill modifies other skills or system-wide settings.
What to consider before installing
This skill appears to be a legitimate crypto CLI, but exercise caution before installing or providing credentials. Points to consider: - The SKILL.md/README require multiple sensitive API keys (Coinbase/Binance keys and secrets, DeBank, Helius, Etherscan/Solscan, etc.) but the registry metadata declares no required env vars — ask why the manifest omitted these or prefer a skill that clearly declares required credentials. - Do not supply CEX API keys with withdrawal permissions; create read-only API keys and enable IP whitelisting if possible. Test first with non-critical or demo accounts and a public wallet address to verify behavior. - Verify the package source before installing (README references npm package @cyberdrk/onchain). Confirm the publisher, homepage/GitHub repo, and release checksums/signatures if available. - Note the inconsistent env-var names between README and SKILL.md (e.g., Coinbase key naming); confirm the exact variables the installed CLI expects to avoid accidentally placing secrets in the wrong env variable. - Check the config file (~/.config/onchain/config.json5) permissions and contents after setup; do not store secrets in world-readable files. - If you want, I can: (a) attempt to look up the npm package/repo to verify publisher and source, or (b) produce a short checklist to create limited-permission API keys for Coinbase/Binance and to validate CLI behavior with read-only access.

Like a lobster shell, security has layers — review code before you run it.

binancevk979ej5j71mw5dbts9zcqzdhdx8012r2bitcoinvk979ej5j71mw5dbts9zcqzdhdx8012r2blockchainvk979ej5j71mw5dbts9zcqzdhdx8012r2coinbasevk979ej5j71mw5dbts9zcqzdhdx8012r2cryptovk979ej5j71mw5dbts9zcqzdhdx8012r2defivk979ej5j71mw5dbts9zcqzdhdx8012r2ethereumvk979ej5j71mw5dbts9zcqzdhdx8012r2latestvk979ej5j71mw5dbts9zcqzdhdx8012r2polymarketvk979ej5j71mw5dbts9zcqzdhdx8012r2portfoliovk979ej5j71mw5dbts9zcqzdhdx8012r2pricesvk979ej5j71mw5dbts9zcqzdhdx8012r2solanavk979ej5j71mw5dbts9zcqzdhdx8012r2tradingvk979ej5j71mw5dbts9zcqzdhdx8012r2walletvk979ej5j71mw5dbts9zcqzdhdx8012r2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments