Onchain CLI
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent crypto lookup skill, but it asks users to run an unreviewed external npm CLI and provide exchange API secrets without clear read-only scoping.
Only install this if you trust the @cyberdrk/onchain npm package. Before setup, verify the package/source, use read-only exchange API keys with trading and withdrawals disabled, and protect ~/.config/onchain/config.json5 because it may contain sensitive configuration.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user supplies an exchange key with broad permissions, the external CLI may receive authority beyond simple balance/history viewing.
The skill asks for crypto exchange API secrets to access account balances and trade history. This is purpose-aligned, but the artifacts do not specify read-only permission requirements or warn users to disable trading/withdrawal capabilities.
Coinbase CEX | `COINBASE_API_KEY` + `COINBASE_API_SECRET` ... Binance CEX | `BINANCE_API_KEY` + `BINANCE_API_SECRET`
Use newly created read-only API keys only, disable trading and withdrawals, and avoid entering exchange secrets until the package source and permissions are verified.
Installing or running the npm package may execute unreviewed code with the user's local privileges and access to configured API keys.
The README directs users to install or execute an external npm package, while the provided skill has no code files or install spec and the registry source is unknown. That leaves the actual credential-handling behavior outside the reviewed artifacts.
npm install -g @cyberdrk/onchain ... npx @cyberdrk/onchain price btc
Verify the npm package provenance and source code, pin a trusted version, and consider running it in an isolated environment before providing credentials.
Crypto addresses and transaction lookups can be correlated by external providers, even though this is expected for the feature.
The skill discloses that transaction lookups use external provider APIs. Wallet addresses, transaction hashes, and market queries may be sent to third-party services as part of normal operation.
The CLI queries Etherscan/Solscan APIs directly
Avoid querying addresses or transactions you do not want shared with the listed providers, and review provider privacy policies for sensitive wallets.