ClawHub

Alchemy OpenAPI Skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a coherent read-only Alchemy price lookup skill, but users should notice that it needs an Alchemy API key and uses a mutable remote OpenAPI schema link.

This skill is reasonable for read-only Alchemy price lookups. Before installing or using it, make sure you trust the UXC setup, protect the Alchemy API key with the recommended secret mechanism, and consider using a local or pinned OpenAPI schema instead of the mutable GitHub main-branch URL.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse
Low
What this means

The agent may use the user's Alchemy API key for price API requests, which could affect account usage or expose the key if handled carelessly outside the recommended secret mechanism.

Why it was flagged

The skill requires an Alchemy API key and uses it in the request path. This is expected for the Alchemy Prices API and the skill recommends secret handling, but it is still credential-bearing access the user should understand before installing.

Skill content
Alchemy Prices API places the API key in the request path: `/prices/v1/{apiKey}/...`
Recommendation

Use the documented `--secret-env` or another secret-backed method, avoid pasting API keys directly into shell commands, and use an Alchemy key with only the access needed for price reads where possible.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

If the remote schema changes, the linked CLI could behave differently from the reviewed local schema.

Why it was flagged

The setup links UXC to an OpenAPI schema fetched from a mutable GitHub `main` branch URL. This is disclosed and matches the skill purpose, but a mutable schema source can change the operations exposed to the CLI.

Skill content
uxc link alchemy-openapi-cli https://api.g.alchemy.com --schema-url https://raw.githubusercontent.com/holon-run/uxc/main/skills/alchemy-openapi-skill/references/alchemy-prices.openapi.json
Recommendation

Review the schema before linking, prefer the included local schema or a pinned commit URL if supported, and re-check linked operations with `-h` before using the CLI.