Real-time Crypto Price API
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a coherent crypto price lookup API/CLI; it uses an optional PRISM API key and npm installation, but the reviewed code does not show hidden data access, persistence, or destructive behavior.
This appears safe for normal crypto price lookups. Before installing, verify the npm package and only provide a PRISM_API_KEY if you trust the PRISM endpoint; avoid custom PRISM_API_URL values unless you control or trust that server.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide a PRISM API key, it will be sent to the configured PRISM API URL to authenticate requests.
The library can use an API key from the environment and transmit it to the configured API endpoint. This is expected for a provider-backed price API, but it is still credential handling users should notice.
this.apiKey = apiKey || process.env.PRISM_API_KEY; ... headers['Authorization'] = `Bearer ${this.apiKey}`; ... fetch(url, { headers })Use a dedicated PRISM API key, keep it out of logs and shared environments, and do not set PRISM_API_URL to a host you do not trust.
Installing from npm runs code from that package when you import or invoke the CLI.
The skill documentation tells users to install an npm package, while the registry metadata does not provide a verified source. The included package manifest has no dependencies or postinstall script, so this is a provenance note rather than a concern.
Source: unknown ... Install specifications: No install spec — this is an instruction-only skill.
Verify the npm package name, publisher, and version before installing, especially if using it in trading bots or dashboards.