ClawHub

Zerion Api

PassAudited by ClawScan on May 1, 2026.

Overview

This is a coherent Zerion wallet-analytics skill, but users should be aware it asks for a Zerion API key and may pass that key through MCP or an inner Claude prompt.

This skill appears purpose-aligned and non-destructive. Before installing, be comfortable pasting a Zerion API key into the session and sending wallet addresses or portfolio queries to Zerion/MCP workflows. Use a revocable API key, do not reuse sensitive credentials, and review any generated artifact so it does not hardcode, display, or log the key.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

You will need to paste a Zerion API key into the chat session for the skill to work.

Why it was flagged

The skill requires a user-provided Zerion API key, which is expected for the service but still grants access to the user's Zerion API quota/account context.

Skill content
Zerion API requires a key for every request. The key is not stored in the MCP connector settings — the user must provide it each chat session.
Recommendation

Use a restricted or disposable Zerion API key if possible, avoid sharing keys for unrelated accounts, and revoke the key if you believe it was exposed.

NoteHigh Confidence
ASI07: Insecure Inter-Agent Communication
What this means

If you build dashboards or artifacts with this skill, the Zerion API key may be sent through an inner Claude/MCP request rather than only directly to Zerion.

Why it was flagged

The artifact workflow may place the API key inside a prompt sent to another model/MCP workflow, which is disclosed and purpose-aligned but expands where the credential is exposed.

Skill content
When building artifacts that call the Anthropic API with MCP, include the key in the inner prompt so the inner Claude can authenticate: ... const prompt = `Using the Zerion API key: ${apiKey}, get portfolio for wallet 0x...`;
Recommendation

Only enter the key into artifacts you trust, avoid displaying or storing it, and prefer workflows that pass credentials through dedicated secret/tool parameters rather than prompt text when available.