Thegraph Mcp Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears purpose-aligned for using The Graph through UXC, but users should notice that it stores/uses a The Graph API key and creates a persistent UXC command binding.
Install this if you intend to use The Graph through UXC and are comfortable configuring a The Graph API key. Verify the `thegraph-mcp-cli` command name is safe on your system, keep queries narrow to avoid unnecessary usage, and use a dedicated/revocable API key when possible.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When you use the skill, your agent may make The Graph MCP and GraphQL requests through UXC using the configured command.
The skill creates and uses a local command wrapper for a remote MCP endpoint. This is central to the stated purpose and includes help-first guidance, but it means the agent can invoke external The Graph MCP operations through that command.
`uxc link thegraph-mcp-cli https://subgraphs.mcp.thegraph.com/sse` ... `thegraph-mcp-cli <operation> ...` is equivalent to `uxc https://subgraphs.mcp.thegraph.com/sse <operation> ...`
Review operation help before running queries, keep initial queries narrow, and confirm the linked command name is not conflicting with an existing tool.
Requests may consume your The Graph account quota or billing allowance associated with the configured API key.
The skill explicitly uses a provider API key through UXC credential handling. This is expected for the service and no artifact shows leakage or unrelated use, but it is still account-level authority.
This endpoint requires a The Graph Gateway API key sent as `Authorization: Bearer <key>` ... `uxc auth credential set thegraph --secret-env THEGRAPH_API_KEY`
Use a scoped or dedicated The Graph API key where possible, store it only through the documented credential mechanism, and revoke or rotate it if no longer needed.
Automated install or permission prompts may not fully reflect that you need UXC, network access, and a The Graph API key.
The instructions disclose runtime prerequisites, but the registry metadata lists no required binaries, env vars, credentials, or install spec. This is a metadata completeness gap rather than hidden behavior.
Prerequisites - `uxc` is installed and available in `PATH`. - Network access to `https://subgraphs.mcp.thegraph.com/sse`. - The Graph Gateway API key is available for authenticated calls.
Before installing, verify you trust the UXC tool and The Graph endpoint, and expect to configure the API key manually.