Chainstream Graphql
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent ChainStream GraphQL integration, but it relies on external CLI tools, persistent wallet/API-key credentials, and user-confirmed crypto payments.
This skill appears appropriate for ChainStream GraphQL analytics. Before installing, be comfortable with using ChainStream's CLI/MCP, confirm any paid plan yourself, and avoid importing a valuable wallet private key; use an API key or a low-balance/generated wallet instead.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user confirms a purchase, real USDC can be spent for ChainStream quota.
The skill can invoke a CLI flow that signs a real crypto payment, but the artifact explicitly frames it as a subscription purchase requiring plan presentation and user confirmation.
Purchase a subscription using the dedicated CLI command. This involves a **real USDC payment** ... Always present plan options and get user confirmation before purchasing.
Only allow purchase commands after reviewing the plan, payment chain, wallet balance, and total cost; do not let the agent choose a plan on its own.
Using an existing wallet private key gives the external CLI sensitive signing access that could affect funds if misused.
The documentation includes an optional path where a user imports a raw wallet private key, giving the CLI signing authority for authentication and payments.
npx @chainstream-io/cli wallet set-raw --chain base ... Enter private key ... The CLI will use your private key for both SIWX authentication and x402 payment.
Prefer an API key or a newly generated, low-balance ChainStream wallet; avoid importing private keys for wallets holding significant assets.
The behavior ultimately depends on the external ChainStream CLI package fetched or executed by npx.
The skill depends on an external npm CLI invoked through npx, without a pinned package version in the skill artifacts.
CLI: `npx @chainstream-io/cli graphql`
Use the CLI only from a trusted environment, consider pinning a reviewed version, and avoid entering sensitive wallet material unless you trust the package source.
A ChainStream API key would be used by the remote MCP service for authenticated requests.
The optional MCP configuration sends an API key to ChainStream's remote MCP endpoint, which is expected for the integration but is still credential-bearing communication.
"url": "https://mcp.chainstream.io/mcp", "headers": { "X-API-KEY": "<your-api-key>" }Use a scoped/revocable API key when possible and do not place unrelated secrets in the MCP configuration.