ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alchemy OpenAPI Skill

v1.0.0

Operate Alchemy Prices API reads through UXC with a curated OpenAPI schema, path-templated API-key auth, and read-first guardrails.

0· 157·1 current·1 all-time
by@jolestar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name, description, OpenAPI schema, and instructions all align with a narrow, read-only Alchemy Prices API capability. However, the registry metadata lists no required env vars/credentials even though the SKILL.md explicitly instructs configuring an Alchemy API key (ALCHEMY_API_KEY) for path-templated auth.
Instruction Scope
SKILL.md stays on-scope: it instructs using uxc to link the curated OpenAPI schema, to run only read endpoints, and to keep JSON output. It does request network access to api.g.alchemy.com and to the curated schema on raw.githubusercontent.com, which is expected for this purpose. The only scope issue is that instructions require an API key environment variable that isn't declared in metadata.
Install Mechanism
There is no install spec (instruction-only), so nothing arbitrary is downloaded or written at install time. The included scripts/validate.sh is a local validation helper; it requires jq and rg (ripgrep) to run, but those are for local validation, not runtime execution.
!
Credentials
The skill needs a single Alchemy API key (used via path-templated auth), which is proportionate to its purpose. But the package metadata declares no required env vars or primary credential while the SKILL.md explicitly instructs using ALCHEMY_API_KEY (via uxc auth credential set). This mismatch is concerning because install/config tooling may not prompt the user to supply that secret. Also note: the API key appears in the request path, which can make it visible in logs and URL telemetry — the SKILL.md warns of this, but the platform's secret-handling behavior should be confirmed.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence or modify other skills. It does allow autonomous invocation (the platform default), which is normal and not, by itself, a red flag here.
What to consider before installing
This skill appears to legitimately implement read-only Alchemy Prices lookups via uxc, but the SKILL.md expects you to provide an Alchemy API key (ALCHEMY_API_KEY) even though the registry metadata lists no required credentials. Before installing: (1) Confirm your agent/platform will let you store ALCHEMY_API_KEY as a secret (do not place it in shell history). (2) Verify uxc is available in the runtime environment and that linking to the raw.githubusercontent.com schema is acceptable. (3) Be aware the API key is placed in the URL path and may show up in logs or telemetry — ensure your secret storage and network logging policies mitigate that. (4) If you rely on the registry's metadata for permission prompts, ask the publisher to update required env vars/primary credential to include ALCHEMY_API_KEY. If those mismatches are resolved, the skill looks coherent and low-risk for its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk974v6dejjzkanh44z6nhnqq8n830q1r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Alchemy Prices API Skill

Use this skill to run Alchemy Prices API operations through uxc + OpenAPI.

Reuse the uxc skill for shared execution, auth, and error-handling guidance.

Prerequisites

  • uxc is installed and available in PATH.
  • Network access to https://api.g.alchemy.com.
  • Access to the curated OpenAPI schema URL:
    • https://raw.githubusercontent.com/holon-run/uxc/main/skills/alchemy-openapi-skill/references/alchemy-prices.openapi.json
  • An Alchemy API key.

Scope

This v1 skill intentionally covers the narrow Prices API surface:

  • token price lookup by symbol
  • token price lookup by contract address
  • historical token prices

This skill does not cover:

  • node JSON-RPC
  • NFT or portfolio APIs
  • write operations
  • the broader Alchemy API surface
  • multi-symbol batch lookup in one uxc call

Authentication

Alchemy Prices API places the API key in the request path: /prices/v1/{apiKey}/....

Configure one API-key credential with a request path prefix template:

uxc auth credential set alchemy-prices \
  --auth-type api_key \
  --secret-env ALCHEMY_API_KEY \
  --path-prefix-template "/prices/v1/{{secret}}"

uxc auth binding add \
  --id alchemy-prices \
  --host api.g.alchemy.com \
  --scheme https \
  --credential alchemy-prices \
  --priority 100

Validate the active mapping when auth looks wrong:

uxc auth binding match https://api.g.alchemy.com

Core Workflow

  1. Use the fixed link command by default:

    • command -v alchemy-openapi-cli
    • If missing, create it: uxc link alchemy-openapi-cli https://api.g.alchemy.com --schema-url https://raw.githubusercontent.com/holon-run/uxc/main/skills/alchemy-openapi-skill/references/alchemy-prices.openapi.json
    • alchemy-openapi-cli -h

  2. Inspect operation schema first:

    • alchemy-openapi-cli get:/tokens/by-symbol -h
    • alchemy-openapi-cli post:/tokens/by-address -h
    • alchemy-openapi-cli post:/tokens/historical -h

  3. Start with narrow single-asset reads before batch historical requests:

    • alchemy-openapi-cli get:/tokens/by-symbol symbols=ETH currency=USD
    • alchemy-openapi-cli post:/tokens/by-address '{"addresses":[{"network":"eth-mainnet","address":"0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48"}],"currency":"USD"}'

  4. Use positional JSON only for the POST endpoints:

  • alchemy-openapi-cli post:/tokens/historical '{"symbol":"ETH","startTime":"2025-01-01T00:00:00Z","endTime":"2025-01-07T00:00:00Z","interval":"1d","currency":"USD"}'

Operations

  • get:/tokens/by-symbol
  • post:/tokens/by-address
  • post:/tokens/historical

Guardrails

  • Keep automation on the JSON output envelope; do not use --text.
  • Parse stable fields first: ok, kind, protocol, data, error.
  • Treat this v1 skill as read-only and prices-only. Do not imply RPC, trade execution, or wallet mutation support.
  • API keys are sensitive because they appear in the request path. Use --secret-env or --secret-op, not shell history literals, when possible.
  • /tokens/by-symbol is query-based in the live API.
  • The live API supports repeated symbols= parameters, but this v1 skill intentionally narrows that endpoint to a single symbols=<TOKEN> query because current uxc query argument handling does not reliably execute array-shaped query parameters.
  • Historical requests can expand quickly. Keep time windows tight unless the user explicitly wants a larger backfill.
  • alchemy-openapi-cli <operation> ... is equivalent to uxc https://api.g.alchemy.com --schema-url <alchemy_openapi_schema> <operation> ....

References

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…