Real-time Crypto Price API
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: realtime-crypto-price-api Version: 1.0.0 The skill bundle provides a legitimate API client for real-time cryptocurrency price data, connecting to `https://api.prismapi.ai`. The code in `src/index.js` and `cli.js` uses standard practices for network requests and argument parsing, including safe URL construction with `URL` and `URL.searchParams.set` to prevent injection. It reads an optional API key from `PRISM_API_KEY` and allows overriding the API endpoint via `PRISM_API_URL` environment variables, which are standard configuration options. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` or `README.md`. All observed behaviors align with the stated purpose of providing cryptocurrency price data.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide a PRISM API key, it will be sent to the configured PRISM API URL to authenticate requests.
The library can use an API key from the environment and transmit it to the configured API endpoint. This is expected for a provider-backed price API, but it is still credential handling users should notice.
this.apiKey = apiKey || process.env.PRISM_API_KEY; ... headers['Authorization'] = `Bearer ${this.apiKey}`; ... fetch(url, { headers })Use a dedicated PRISM API key, keep it out of logs and shared environments, and do not set PRISM_API_URL to a host you do not trust.
Installing from npm runs code from that package when you import or invoke the CLI.
The skill documentation tells users to install an npm package, while the registry metadata does not provide a verified source. The included package manifest has no dependencies or postinstall script, so this is a provenance note rather than a concern.
Source: unknown ... Install specifications: No install spec — this is an instruction-only skill.
Verify the npm package name, publisher, and version before installing, especially if using it in trading bots or dashboards.