ClawHub

Moralis Data Api

v1.3.2

Query Web3 blockchain data from Moralis API. Use when user asks about wallet data (balances, tokens, NFTs, transaction history, profitability, net worth), to...

1· 393·0 current·0 all-time
by@novnski
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the requirements: the skill only requires curl and MORALIS_API_KEY, which are appropriate and proportional for calling Moralis Data API endpoints. No unrelated credentials, binaries, or system paths are requested.
Instruction Scope
SKILL.md contains detailed runtime instructions (curl examples, pagination, response patterns, file/layout guidance). It instructs the agent to check a declared env var and to avoid asking the user to paste their API key in chat. The guidance to offer creating a .env placeholder can cause the agent to write a local file if implemented — this is expected for local configuration and is within scope for the skill's purpose.
Install Mechanism
No install spec or code is included — instruction-only. No downloads, package installs, or archive extraction are present, which minimizes risk.
Credentials
Only one required environment variable (MORALIS_API_KEY) is declared and identified as the primary credential. That is necessary and proportionate for authenticating API requests. No other secrets or unrelated env vars are requested.
Persistence & Privilege
Skill is not marked always:true and requests no system-level persistence. Model invocation is allowed (platform default) but the skill does not combine that with broad access or other privileges.
Scan Findings in Context
[base64-block] unexpected: The static scanner flagged a 'base64-block' pattern inside SKILL.md. I could not find an obvious base64 payload in the visible excerpts; this may be a false positive from truncated/embedded data or from large reference files. Because the scanner flagged it, manually inspect SKILL.md (and any truncated sections) for embedded encoded payloads before trusting a copy of the skill.
Assessment
This skill appears to do exactly what it claims: help the agent call Moralis Data API endpoints. Before installing: 1) Do NOT paste your MORALIS_API_KEY into chat — follow the skill's .env guidance and keep the key in a local environment file or secret manager. 2) Add .env to .gitignore and limit the key's scope (use a read-only key if possible) and rotate it if shared. 3) The skill may instruct the agent to create a .env placeholder; confirm any file-write actions with the agent or run them yourself. 4) Because the regex scan flagged a base64 pattern, quickly search SKILL.md and truncated sections for unexpected encoded payloads or hidden endpoints; if you see suspicious encoded data, do not install. 5) Monitor usage and rate limits on the Moralis account and audit API calls made by the agent if you enable autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cj9ybjjyv4z15kbk0dh7kp181z8yd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl
EnvMORALIS_API_KEY
Primary envMORALIS_API_KEY

Comments