Moralis Data Api
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (base64-block); human review is required before treating this skill as clean.
This skill is reasonable to use if you trust Moralis and the publisher. Set MORALIS_API_KEY via your environment or a gitignored .env file, do not paste secrets into chat, and remember that Moralis will receive the wallet/token/NFT queries you ask the agent to run. ClawScan detected prompt-injection indicators (base64-block), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may make Moralis API requests from your environment, consuming API quota and sending the requested addresses or parameters to Moralis.
The skill authorizes shell use and curl-based network requests, which is expected for a command-line API helper but still means the agent can run external API calls.
allowed-tools: Bash Read Grep Glob ... Requires curl for API calls.
Review or approve commands when practical, especially bulk or paginated requests, and keep requests limited to the data you intended to query.
Your Moralis API key will be used for requests and may incur quota usage under your Moralis account.
The skill depends on a Moralis account credential to authenticate API calls; this is purpose-aligned and explicitly disclosed.
Requires MORALIS_API_KEY env var for authentication. ... All requests require: X-API-Key: $MORALIS_API_KEY
Use an environment variable or gitignored .env file, do not paste the key into chat, and rotate/revoke the key if it is accidentally exposed.
Moralis can see the queried wallet, token, NFT, transaction, or DeFi parameters along with the API key used for authentication.
The artifacts clearly disclose the external Moralis provider endpoints that will receive API queries.
Base URL ... https://deep-index.moralis.io/api/v2.2 ... https://solana-gateway.moralis.io
Only query wallet addresses or blockchain data you are comfortable sending to Moralis, particularly if an address is linked to your identity.
You have less registry-level assurance that the published skill is the official Moralis-authored version.
The registry-level provenance is incomplete, although the skill itself names Moralis docs and a repository and there is no installable code.
Source: unknown; Homepage: none
Verify the skill contents against Moralis documentation or the claimed repository before trusting it with an API key.