Onchain Test
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s stated crypto-tracking purpose is coherent, but it asks users to trust an unreviewed external npm CLI with crypto exchange API secrets without clear read-only scope or storage guidance.
Before installing, verify the @cyberdrk/onchain npm package and use only dedicated read-only exchange API keys with trading and withdrawals disabled. Be aware that setup may store keys in local config files, so protect those files and revoke keys if they are exposed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the npm package would execute code outside the reviewed artifacts, and that code is intended to handle crypto portfolio and exchange-account data.
The reviewed artifact set is instruction-only with no included code or install spec, but the README tells users to install or run an external npm CLI that is not version-pinned or reviewable here.
npm install -g @cyberdrk/onchain ... npx @cyberdrk/onchain price btc
Only install the external CLI if you independently trust and verify the npm package, its publisher, and its source; prefer a pinned version and inspect the package before giving it credentials.
If a user supplies exchange keys with broad permissions, the external CLI’s authority may extend beyond simply reading balances and history.
The skill requires high-impact financial exchange API credentials for CEX balance/history access, but the artifacts do not specify least-privilege scopes or warn users to disable trading and withdrawals.
Coinbase CEX | `COINBASE_API_KEY` + `COINBASE_API_SECRET` ... Binance CEX | `BINANCE_API_KEY` + `BINANCE_API_SECRET`
Create dedicated read-only API keys with trading and withdrawal permissions disabled, avoid reusing keys, and remove/revoke them when no longer needed.
Sensitive API keys may remain on disk after setup and could be exposed to other local processes, backups, or accidental sharing of project files.
The documentation indicates credentials can be stored persistently in local config files, but does not describe protection, permissions, encryption, or safe handling for exchange API secrets.
Config file locations: - Global: `~/.config/onchain/config.json5` - Local: `./.onchainrc.json5`
Prefer environment variables or a secure secret manager when possible, check file permissions, never commit local config files, and revoke keys if a config file may have been exposed.