Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Security audit
Security checks across malware telemetry and agentic risk
This is a disclosed Bitquery WebSocket market-data feed that uses a required API key for its stated purpose.
Install only if you are comfortable giving the script a Bitquery API key and opening a WebSocket connection to Bitquery. Run it in a virtual environment, avoid logging or sharing the full WebSocket URL, and consider pinning the Python dependency before using it in production.
from gql.transport.websockets import WebsocketsTransport
async def main():
token = os.environ["BITQUERY_API_KEY"]
url = f"wss://streaming.bitquery.io/graphql?token={token}"
transport = WebsocketsTransport(
url=url,66/66 vendors flagged this skill as clean.
No suspicious patterns detected.