Reliable Bitcoin Price Feed
PassAudited by ClawScan on May 1, 2026.
Overview
The skill coherently streams Bitcoin price data from Bitquery, with the main cautions being its required Bitquery API key, URL-based token use, and an external Python dependency.
This appears suitable if you intend to use Bitquery for a live Bitcoin price stream. Before installing, be aware that the registry metadata does not declare the required BITQUERY_API_KEY, avoid exposing the token in logs or command histories, and install the Python dependency in a sandbox or virtual environment.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Bitquery API key could be exposed if full WebSocket URLs are logged, copied, or stored by tooling.
The skill needs a Bitquery credential that is not declared in the registry metadata, and it uses the token in the WebSocket URL. This is disclosed and purpose-aligned, but users should treat the key carefully.
The registry may not list `BITQUERY_API_KEY` even though this skill and its script require it... The API key must be passed in the WebSocket URL as a query parameter
Use a scoped Bitquery token if available, store it only in a secure environment variable, avoid logging full URLs, and rotate the key if it may have been exposed.
Installing the dependency may pull newer package versions than the publisher tested.
The skill depends on an external Python package with a lower-bound version rather than a fully pinned dependency. This is expected for a GraphQL WebSocket client, but users should be aware of dependency provenance.
gql[websockets]>=3.5.0
Install in a virtual environment or sandbox, review dependency provenance, and consider pinning a known-good version for repeatable use.