Onchain Test
v0.1.2CLI for crypto portfolio tracking, market data, and CEX history. Use when the user asks about crypto prices, wallet balances, portfolio values, Coinbase/Binance holdings, or Polymarket predictions.
⭐ 1· 1.6k·0 current·0 all-time
by@arein
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The described capabilities (wallet balances, CEX history, market data, Polymarket) legitimately require API keys and access to user wallet addresses; that matches the SKILL.md/README functionality. However the registry metadata lists no required env vars or install steps despite the CLI clearly needing API keys and an npm package, an inconsistency worth flagging.
Instruction Scope
SKILL.md stays within the stated purpose: it instructs the agent to run the onchain CLI, use --json, check exit codes, and read/write a config at ~/.config/onchain/config.json5. It does not instruct reading unrelated system files or exfiltrating data to unknown endpoints. It does, however, expect the agent to have or install the CLI binary.
Install Mechanism
No install spec is declared in the registry, but the README instructs installing @cyberdrk/onchain via npm or npx. That means executing third‑party code from the npm registry (source unknown to the registry entry) if the user follows the docs — a nontrivial risk because the skill metadata did not declare this and there is no provided provenance or homepage.
Credentials
SKILL.md/README list multiple sensitive credentials (DeBank, Helius, Coinbase, Binance API keys/secrets, etc.) which are proportionate to the CLI's features. However the registry metadata lists no required env vars and the SKILL.md and README use inconsistent env var names for some providers (e.g., Coinbase variable names differ). Requesting CEX API keys is expected for those features, but the omission and inconsistencies are suspicious and increase the chance of misconfiguration or accidental exposure.
Persistence & Privilege
The skill does not request permanent platform presence (always: false) and does not claim to modify other skills. It will store configuration and possibly API keys at ~/.config/onchain/config.json5 per its docs, which is normal for a CLI but means secrets will be stored on disk — users should verify how the CLI stores/encrypts those secrets before use.
What to consider before installing
This skill appears to be a plausible crypto CLI, but there are red flags you should address before installing: 1) The registry metadata omits required install and credential info while the SKILL.md/README require multiple sensitive API keys — confirm the exact env var names and which keys are mandatory. 2) The README points to npm package @cyberdrk/onchain; verify the package's publisher, source repository, and reviews on npm/GitHub before running npm install or npx. 3) Give CEX API keys only minimal permissions (read/trade-only, no withdraw) and prefer read-only or limited-scope keys. 4) Inspect how the CLI stores secrets in ~/.config/onchain/config.json5 (is it plaintext?), and avoid storing long-lived secrets unencrypted. 5) If you plan to let an agent call this skill autonomously, consider limiting that agent's permissions or running the CLI in an isolated environment (container, VM). 6) Ask the publisher for source code or a homepage; lack of provenance + missing registry metadata increases risk. If you cannot verify the package/source, treat it as untrusted and avoid installing it on sensitive systems.Like a lobster shell, security has layers — review code before you run it.
latestvk97d3et5v5wtk360ew3dmy89hh7zzcxs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.