Crypto charting with USD pricing (1s)
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it claims—stream public crypto chart data from Bitquery—but it needs careful handling of a Bitquery API key and an unpinned Python dependency.
Install only if you are comfortable providing a Bitquery API key that must be embedded in the WebSocket URL. Use an isolated virtualenv or container, avoid logging full URLs, consider running with `--timeout`, monitor quota usage, and rotate the key if you suspect it was captured.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the full WebSocket URL is captured, someone could use your Bitquery token and consume your account quota.
The skill requires a provider API token and passes it in the URL. This is disclosed and purpose-aligned, but URL-based tokens can leak through logs, proxies, shell history, debuggers, or monitoring tools.
Bitquery's streaming endpoint accepts the token **only in the WebSocket URL** as a query parameter (`?token=...`).
Use a dedicated, rotatable Bitquery key; set it only via environment variable; avoid logging full URLs; run in an isolated environment; rotate the key if exposure is suspected.
Users may need to set the API key manually and may not get normal credential-handling prompts from the installer.
The registry metadata does not cleanly declare the required `BITQUERY_API_KEY`, even though the skill instructions require it. This may prevent installers from clearly prompting for the credential.
Required env vars: [object Object] ... Env var declarations: none ... Primary credential: none
The publisher should fix the registry metadata to explicitly declare `BITQUERY_API_KEY` as a required environment variable or credential.
Running it without a timeout may consume Bitquery quota, generate large logs, or keep an agent session busy.
The default runtime is a continuous, all-token live stream. This matches the stated purpose, but it can run indefinitely and produce a large amount of output or provider usage.
Streams 1-second ticks for all tokens until interrupted (Ctrl+C) or optional --timeout seconds.
Use `--timeout` for tests, monitor provider quota, and avoid enabling verbose logging around the WebSocket connection.
A future dependency version could introduce breaking changes or unexpected behavior.
The required Python dependency is not version-pinned. The dependency is central to the WebSocket purpose, but unpinned packages can change behavior across installs.
gql[websockets]
Install in a virtualenv or container and consider pinning a reviewed version of `gql[websockets]` before production use.