Dexscreener API
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: dexscreener Version: 1.0.0 The skill bundle is benign. It provides a CLI to query the public DexScreener API for market data. The `SKILL.md` explicitly sets `disable-model-invocation: true`, preventing the AI agent from autonomously executing the skill, which is a strong defense against prompt injection. The `dexscreener-cli.mjs` script uses `encodeURIComponent` for all user-supplied URL path components, preventing URL injection, and only performs HTTPS GET requests to the specified API. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation. The `DEXSCREENER_BASE_URL` environment variable allows overriding the API endpoint, but this is a configuration option, not an inherent vulnerability or malicious act by the skill itself, as the default is the legitimate DexScreener API.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Market lookup inputs may be sent to DexScreener or to another endpoint if the user configures DEXSCREENER_BASE_URL.
The CLI sends user-supplied query, token, chain, and pair parameters to a network API, and the destination can be changed with an environment variable. This is disclosed and purpose-aligned, but it is still network tool use the user should notice.
const BASE_URL = process.env.DEXSCREENER_BASE_URL || "https://api.dexscreener.com"; ... const res = await fetch(url, { signal: controller.signal });Use the default DexScreener endpoint unless you intentionally trust an alternate base URL, and avoid entering private or sensitive data as query text.