web3-data-skill
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts show a coherent Chainbase Web3 data-query skill with disclosed external API use and an optional API key, with no evidence of hidden persistence, destructive actions, or off-purpose exfiltration.
This appears safe to install if you want Claude to query public on-chain data through Chainbase. Be aware that requests may run through a local bash/curl helper, may use your CHAINBASE_API_KEY if configured, and will send queried wallet addresses, token contracts, and SQL text to Chainbase.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A broad or mistaken request could call an unintended Chainbase endpoint or run a large query with the user's Chainbase quota, but the artifacts do not show blockchain mutation or non-Chainbase exfiltration.
The wrapper lets the agent choose Chainbase API paths, methods, and request bodies. This is broad tool authority, but it remains bounded to Chainbase domains and matches the skill's stated data-query purpose.
endpoint="$1" ... --method=*) method="${arg#--method=}" ... --body=*) body="${arg#--body=}"Use it for read-only analytics and review unusually broad SQL or custom endpoint requests, especially if quota, billing, or large result sets matter.
If CHAINBASE_API_KEY is set, the agent's queries may use that account's quota or billing limits.
The script reads an optional Chainbase API key from the environment and sends it as an API header to Chainbase. This is expected for the service and no artifact shows the key being logged or sent elsewhere.
API_KEY="${CHAINBASE_API_KEY:-demo}" ... -H "${call_header}: ${API_KEY}"Use a scoped Chainbase key where possible and avoid setting the environment variable if the demo key is sufficient.
Chainbase can see the blockchain identifiers and queries submitted through the skill, which may reveal what wallets or tokens the user is investigating.
The skill sends wallet addresses, token contracts, SQL queries, and related request parameters to the external Chainbase provider. This data flow is disclosed and central to the skill.
BASE_URL="https://api.chainbase.online" ... SQL_BASE_URL="https://api.chainbase.com/api/v1" ... curl -s
Do not query wallet addresses or other identifiers you consider private unless you are comfortable sending them to Chainbase.