Test
v0.0.1CLI for crypto portfolio tracking, market data, and CEX history. Use when the user asks about crypto prices, wallet balances, portfolio values, Coinbase/Binance holdings, or Polymarket predictions.
⭐ 1· 2k·14 current·14 all-time
by@arein
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (crypto portfolio, CEX history, market data) matches the commands in SKILL.md, but the skill metadata declares no required binaries, no required environment variables, and no install. SKILL.md clearly expects an external 'onchain' CLI binary and multiple API keys (DeBank, Helius, Coinbase, Binance). That mismatch (instructions require a CLI and secrets but metadata lists none) is incoherent.
Instruction Scope
Runtime instructions tell the agent to run 'onchain <command>' extensively, read/write a config file at ~/.config/onchain/config.json5, and use API keys. The instructions do not ask the agent to exfiltrate unrelated files, but they do assume a CLI and local config exist; there is no guidance about where that binary comes from. The interactive 'onchain setup' and saved-wallet behavior imply persistent local configuration that may contain secrets.
Install Mechanism
There is no install spec (instruction-only), which lowers file-write risk, but is inconsistent with the SKILL.md that relies on an external 'onchain' CLI. If the runtime does not already have the binary, the instructions are non-functional. The absence of a provenance/source or install mechanism for the CLI is a red flag (unknown origin).
Credentials
SKILL.md lists multiple sensitive API keys (DEBANK_API_KEY, HELIUS_API_KEY, COINBASE_API_KEY/SECRET, BINANCE_API_KEY/SECRET) which are proportionate to crypto/CEX functionality, but the skill metadata declares no required env vars. That divergence is noteworthy. Also, CEX API secrets can grant trading/withdrawal access if created with broad permissions — the SKILL.md does not instruct to prefer read-only keys or warn about key permissions.
Persistence & Privilege
The skill is not always-enabled and does not request system-level persistence. It references a per-user config path (~/.config/onchain/config.json5) which is expected for a CLI and is scoped to the user's home; no evidence the skill modifies other skills or system-wide settings.
What to consider before installing
This skill's instructions expect an external 'onchain' CLI and multiple crypto exchange/API keys, but the registry metadata doesn't declare any required binary or environment variables — that mismatch is the main concern. Before installing or using it: (1) verify where the 'onchain' binary comes from and only use a trusted source; (2) do not provide exchange API keys with withdrawal or trading permissions — create read-only keys if possible; (3) inspect ~/.config/onchain/config.json5 if it will store secrets, and prefer storing keys in a secure vault rather than plain config files; (4) confirm whether your agent/runtime already has the CLI available (the skill provides no install); and (5) treat this skill cautiously because the author/source is unknown. If you need, ask the publisher for an install manifest and privacy/security details (where the binary is distributed from, expected file writes, and recommendations for minimal API key scopes).Like a lobster shell, security has layers — review code before you run it.
latestvk973mz13h7nzyjcbmqqe0jvzsx7zyrq2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.