ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Moralis Streams Api

v1.2.1

Real-time blockchain event monitoring with webhooks. Use when user asks about setting up webhooks, real-time event streaming, monitoring wallet addresses, tr...

1· 422·0 current·0 all-time
by@novnski
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the requested inputs: the skill is about creating/reading/updating Streams webhooks and only requires curl and a MORALIS_API_KEY. The declared primary credential (MORALIS_API_KEY) and required binary (curl) are appropriate and proportional.
Instruction Scope
SKILL.md is a docs-heavy, step-by-step instruction set that only tells the agent to use the Streams API endpoints and to check the MORALIS_API_KEY environment variable. It explicitly warns not to ask users to paste API keys into chat and gives safe guidance for local .env discovery. It does not instruct reading unrelated files, exfiltrating data, or calling unknown endpoints.
Install Mechanism
No install spec and no code files — instruction-only. This is lowest-risk: nothing is downloaded or written by the skill beyond suggested local .env creation steps that are user-driven.
Credentials
Only one env var is required (MORALIS_API_KEY) and it is the expected credential for calling the Moralis Streams API. The SKILL.md only references this env var and no unrelated secrets or config paths.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It does not modify other skills or system-wide settings. Autonomous invocation is allowed by default but is not combined with other concerning privileges.
Assessment
This skill is coherent and appears to implement Moralis Streams documentation via curl calls. Before installing: 1) Confirm you trust the source (owner ID is non-human) by checking the linked GitHub repo/docs URL independently; 2) Keep your MORALIS_API_KEY secret—do not paste it into chat; place it in a local .env and add .env to .gitignore as the docs advise; 3) Verify webhook endpoints you configure accept and quickly return 2xx and implement signature verification (x-signature) as documented; 4) Be careful with 'allAddresses' streams—they can generate very large volumes and cost more; and 5) If you need stronger assurance, review the referenced GitHub repository and Moralis official docs to confirm nothing has been altered.

Like a lobster shell, security has layers — review code before you run it.

latestvk97326k56e1jh590ag6fpa0t1x81yhkn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl
EnvMORALIS_API_KEY
Primary envMORALIS_API_KEY

Comments