ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Moralis OpenAPI Skill

v1.0.0

Operate Moralis EVM wallet and token reads through UXC with a curated OpenAPI schema, API-key auth, and wallet-intelligence guardrails.

0· 142·1 current·1 all-time
by@jolestar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name, description, OpenAPI schema, and SKILL.md consistently describe a read-only Moralis EVM data surface accessed via the uxc CLI. The operations and schema match the stated purpose. However, the registry metadata declares no required environment variables or primary credential even though the instructions explicitly require a Moralis API key (MORALIS_API_KEY). This mismatch is unexpected but consistent with the skill's stated function.
Instruction Scope
SKILL.md confines instructions to linking a curated OpenAPI schema, using the uxc CLI to call deep-index.moralis.io, and configuring API-key auth. It does not instruct the agent to read unrelated files, scan system state, or contact other external endpoints. It does require network access to Moralis and a functioning uxc installation on PATH.
Install Mechanism
This is an instruction-only skill (no install spec). There are no downloads or archive extraction. The only runtime dependency is the uxc CLI, which the skill expects to already be present; validate.sh uses jq and rg but that's a development-time validation script, not a runtime installer.
!
Credentials
The runtime instructions require an API key passed via MORALIS_API_KEY and show how to create a uxc credential/binding. Requesting a Moralis API key is proportionate to the skill's read-only purpose. The concern is that the skill metadata does not declare this required secret (no required env vars / no primary credential), which is an incoherence that could confuse users and automated installers about what secrets will be needed.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configurations. Autonomous invocation is allowed (default) which is normal for skills; there is no indication the skill self-enables persistently beyond normal usage.
What to consider before installing
This skill is coherent in function (read-only Moralis EVM reads via uxc), but the published metadata fails to list the Moralis API key it expects. Before installing: 1) Confirm you trust the skill source and the uxc CLI (requests will go to deep-index.moralis.io). 2) Expect to provide a Moralis API key (MORALIS_API_KEY) and prefer binding it in uxc rather than exporting it globally. 3) Verify the OpenAPI schema URL and GitHub raw link in the SKILL.md to ensure they point to the expected curated schema. 4) If you do not want the agent to call the skill autonomously, restrict model-invocation or only use it interactively. 5) Ask the publisher to update the skill metadata to explicitly declare the required environment variable / primary credential so automated tooling and reviewers are not misled.

Like a lobster shell, security has layers — review code before you run it.

latestvk979m1qm9rbh515esqm1xdh8an831ayv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Moralis Web3 Data API Skill

Use this skill to run Moralis EVM data operations through uxc + OpenAPI.

Reuse the uxc skill for shared execution, auth, and error-handling guidance.

Prerequisites

  • uxc is installed and available in PATH.
  • Network access to https://deep-index.moralis.io/api/v2.2.
  • Access to the curated OpenAPI schema URL:
    • https://raw.githubusercontent.com/holon-run/uxc/main/skills/moralis-openapi-skill/references/moralis-evm.openapi.json
  • A Moralis API key.

Scope

This skill covers a read-first wallet intelligence surface:

  • native balance lookup
  • wallet token balances
  • wallet history
  • wallet swaps
  • wallet net worth
  • ERC-20 metadata lookup
  • ERC-20 token price lookup

This skill does not cover:

  • write or transaction submission flows
  • Solana, Streams, or NFT-specific surfaces
  • the full Moralis API

Authentication

Moralis uses X-API-Key header auth.

Configure one API-key credential and bind it to deep-index.moralis.io/api/v2.2:

uxc auth credential set moralis \
  --auth-type api_key \
  --api-key-header X-API-Key \
  --secret-env MORALIS_API_KEY

uxc auth binding add \
  --id moralis \
  --host deep-index.moralis.io \
  --path-prefix /api/v2.2 \
  --scheme https \
  --credential moralis \
  --priority 100

Validate the active mapping when auth looks wrong:

uxc auth binding match https://deep-index.moralis.io/api/v2.2

Core Workflow

  1. Use the fixed link command by default:

    • command -v moralis-openapi-cli
    • If missing, create it: uxc link moralis-openapi-cli https://deep-index.moralis.io/api/v2.2 --schema-url https://raw.githubusercontent.com/holon-run/uxc/main/skills/moralis-openapi-skill/references/moralis-evm.openapi.json
    • moralis-openapi-cli -h

  2. Inspect operation schema first:

    • moralis-openapi-cli get:/{address}/balance -h
    • moralis-openapi-cli get:/wallets/{address}/tokens -h
    • moralis-openapi-cli get:/erc20/{address}/price -h

  3. Prefer narrow reads before broader wallet scans:

    • moralis-openapi-cli get:/{address}/balance address=0xd8da6bf26964af9d7eed9e03e53415d37aa96045 chain=eth
    • moralis-openapi-cli get:/erc20/{address}/price address=0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48 chain=eth
    • moralis-openapi-cli get:/wallets/{address}/net-worth address=0xd8da6bf26964af9d7eed9e03e53415d37aa96045 chain=eth

  4. Execute with key/value parameters:

    • moralis-openapi-cli get:/wallets/{address}/tokens address=0xd8da6bf26964af9d7eed9e03e53415d37aa96045 chain=eth
    • moralis-openapi-cli get:/wallets/{address}/history address=0xd8da6bf26964af9d7eed9e03e53415d37aa96045 chain=eth limit=20

Operation Groups

Wallet Reads

  • get:/{address}/balance
  • get:/wallets/{address}/tokens
  • get:/wallets/{address}/history
  • get:/wallets/{address}/swaps
  • get:/wallets/{address}/net-worth

Token Reads

  • get:/erc20/metadata
  • get:/erc20/{address}/price

Guardrails

  • Keep automation on the JSON output envelope; do not use --text.
  • Parse stable fields first: ok, kind, protocol, data, error.
  • Treat this v1 skill as read-only. Do not imply signing or transaction broadcast support.
  • Moralis supports multiple chains. Always pass chain explicitly instead of assuming Ethereum.
  • Wallet history and swaps can become expensive at large ranges. Start with small limits and narrow time windows.
  • moralis-openapi-cli <operation> ... is equivalent to uxc https://deep-index.moralis.io/api/v2.2 --schema-url <moralis_openapi_schema> <operation> ....

References

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…