Apechain Reader
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a read-only blockchain wallet analysis skill; it uses external blockchain and pricing providers plus an optional Alchemy API key, but those uses are disclosed and purpose-aligned.
This skill looks safe for read-only wallet analysis if you are comfortable sending queried blockchain addresses to public RPC, CoinGecko, and optionally Alchemy. Use a dedicated Alchemy API key if you enable enhanced collection-name resolution, ensure Node.js is installed, and do not rely on ENS support until the documentation and implementation are consistent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you set an Alchemy key, the skill can use that key when making provider requests.
The helper reads an optional provider API key. This is credential access, but the documentation says the key is optional and used for Alchemy-backed collection-name resolution.
const alchemyKey = process.env.ALCHEMY_API_KEY;
Use a dedicated, low-privilege Alchemy API key and rotate it if you suspect exposure.
Queried wallet addresses, contract addresses, and chain choices may be visible to third-party RPC/API providers.
The skill sends wallet/contract lookup context to external blockchain, pricing, and collection-name providers as part of its normal operation.
Real-time token valuations via CoinGecko API ... Resolves NFT collection names via Alchemy API
Avoid querying addresses you consider sensitive unless you are comfortable with those providers receiving the lookup request.
Installation/runtime expectations may be less clear, and the agent or user must have Node.js available to run the scripts.
The skill depends on local Node.js script execution, while the registry requirements list no required binaries and there is no install spec. This is under-declared runtime metadata, not evidence of malicious behavior.
This skill requires Node.js (v16+). No additional dependencies needed - uses built-in `fetch` API.
The publisher should declare Node.js as a required binary/runtime in metadata; users should verify the included scripts before running them.
Users or agents may expect .eth names to work even though the included tests say ENS resolution is blocked.
This contradicts the skill description claiming ENS domain support across commands. It is a functional trust/coherence issue, not a security escalation.
ENS Domain Resolution (Task 4) ... STATUS: BLOCKED - Missing keccak256 dependency
Treat ENS support as unreliable unless the publisher updates the code and documentation consistently.