ClawHub

Chainstream Data

v3.1.6

Query and analyze on-chain data via MCP (17 tools) and CLI across Solana, BSC, Ethereum. Use when user asks to search tokens, check token security or holders...

0· 277·1 current·1 all-time
byChainStream@harry5556
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesCan sign transactionsRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (on-chain token, wallet, market analytics across Solana/BSC/Ethereum) matches the instructions and references (MCP, REST endpoints, CLI, SDK). The files list endpoints and examples that align with the stated purpose. DeFi/signing guidance is scoped to separate 'defi' operations and the docs explain that signing is required for those flows.
Instruction Scope
SKILL.md is mostly read-only API usage (token search, holders, PnL, WebSocket streams). However, the instructions also document CLI wallet creation/login, importing raw private keys, and a payment flow (x402/MPP) that performs real USDC transfers. The skill repeatedly warns interactive purchase must be performed by a human, but an agent following the doc could nonetheless prompt users for private keys or attempt payment flows — these are sensitive actions and require explicit user confirmation.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code. Runtime instructions rely on standard public packages (npx @chainstream-io/cli, @chainstream-io/sdk) and official-looking domain names. No arbitrary download URLs or embedded installers are present in the skill bundle. Note: using npx will fetch remote code at runtime — expected for CLI usage but worth considering in threat model.
Credentials
The skill declares no required environment variables or credentials, which fits a read-only data skill. Documentation does describe API keys, SIWX wallet signatures, and the option to import private keys into the CLI; those are legitimate for wallet-based signing and x402 payments but are high-sensitivity operations. Requesting a private key or performing on-chain payments is proportional for DeFi execution but unnecessary for read-only queries — agents should avoid requesting secrets unless the user explicitly wants to perform signing/payments.
Persistence & Privilege
The skill does not request 'always: true' nor attempt to modify other skills. The docs note the CLI stores keys/config under ~/.config/chainstream/ (normal CLI behavior). That local persistence is typical for a CLI wallet but is operationally sensitive and should be performed only with user consent.
Assessment
This skill appears coherent for on-chain data queries and includes detailed, sensible instructions for using MCP, REST, CLI, and SDK. Before installing or using it, consider these points: - Do not paste or upload private keys to an agent. The docs show CLI commands to import raw keys; only do this manually in a secure terminal if you understand the implications. - x402/MPP involves real USDC payments (EIP-3009/EIP-712 signing). Never let an agent auto-purchase quotas — follow the doc's guidance to require explicit human confirmation and run payments yourself. - npx @chainstream-io/cli will fetch and run remote code. Prefer installing/running such tools in a controlled environment (local machine or sandbox) and inspect the package source/repo before trusting it. - For read-only queries, prefer using a dashboard-issued API key or temporary/test keys rather than provisioning wallet signing or importing secrets. - The skill source is 'unknown' in the registry metadata. If you plan to rely on it in production, obtain the CLI/SDK from the vendor's official repo or dashboard and verify package integrity (checksums, GitHub releases). If you want, I can extract the specific commands the agent would run for a given read-only task and mark which steps require human interaction or could consume funds.

Like a lobster shell, security has layers — review code before you run it.

blockchainvk97d9aynvbxn9ht4w9k7dtpk6d83b8vkcryptovk97d9aynvbxn9ht4w9k7dtpk6d83b8vkdefivk97d9aynvbxn9ht4w9k7dtpk6d83b8vkethereumvk97d9aynvbxn9ht4w9k7dtpk6d83b8vklatestvk9700rc7vwe0x9ay6sd0az4djx84d9wzmarketvk97d9aynvbxn9ht4w9k7dtpk6d83b8vkonchainvk97d9aynvbxn9ht4w9k7dtpk6d83b8vksolanavk97d9aynvbxn9ht4w9k7dtpk6d83b8vktokenvk97d9aynvbxn9ht4w9k7dtpk6d83b8vkwalletvk97d9aynvbxn9ht4w9k7dtpk6d83b8vkx402vk97d9aynvbxn9ht4w9k7dtpk6d83b8vk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments