Moralis OpenAPI Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent read-only Moralis wallet-data integration, but users should review the API-key setup, the unpinned remote schema, and the wallet data sent to Moralis.
This skill appears safe for its stated read-only Moralis use case. Before installing, use a dedicated Moralis API key, verify or pin the OpenAPI schema URL instead of relying on a mutable GitHub main-branch URL, and be mindful that wallet history, swaps, and net-worth queries can reveal sensitive financial information.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing the skill needs to provide a Moralis API key; calls made through the skill may consume that account's API quota and access whatever the key permits.
The skill requires a Moralis API key and configures a persistent credential binding. This is expected for the Moralis API and is scoped to the Moralis host/path, but it gives the agent delegated access to the user's Moralis account quota and permitted API scope.
Moralis uses `X-API-Key` header auth. Configure one API-key credential ... --api-key-header X-API-Key ... --secret-env MORALIS_API_KEY ... --host deep-index.moralis.io ... --path-prefix /api/v2.2
Use a dedicated Moralis API key with the least scope available, store it only in the intended MORALIS_API_KEY environment variable, and periodically review or remove the uxc credential binding if no longer needed.
A changed remote schema could expose different Moralis operations or parameters to the generated CLI than the packaged schema reviewed here.
The recommended link command fetches the OpenAPI schema from an unpinned GitHub `main` branch rather than a fixed version or commit. The packaged schema is read-only and coherent, but the remote schema could change independently of the reviewed artifact.
`uxc link moralis-openapi-cli https://deep-index.moralis.io/api/v2.2 --schema-url https://raw.githubusercontent.com/holon-run/uxc/main/skills/moralis-openapi-skill/references/moralis-evm.openapi.json`
Prefer the packaged schema or a pinned commit/version URL when linking the CLI, and review schema changes before using the skill with an API key.
Moralis will receive the wallet addresses and query parameters used with the skill, and the returned data may reveal portfolio or transaction information.
The skill sends wallet-address queries to the Moralis provider and retrieves financial-intelligence data such as balances, transaction history, swaps, and net worth. This is the core purpose of the skill, but wallet-to-user associations can be sensitive.
Network access to `https://deep-index.moralis.io/api/v2.2` ... wallet history ... wallet swaps ... wallet net worth
Only query wallets you are authorized to analyze, avoid sending unnecessary addresses, and keep limits/time windows narrow for history and swap lookups.