Zapper Api
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a coherent, read-only Zapper API wrapper, with expected privacy considerations around API keys and wallet/portfolio data.
This skill looks safe for its stated read-only purpose, but treat wallet portfolios and the Zapper API key as sensitive. Before installing, decide whether you are comfortable storing wallet addresses in `~/.config/zapper/addresses.json` and sending queried addresses to Zapper's API.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the local config file or environment is exposed, someone could reuse the Zapper API key and see configured wallet query behavior.
The skill uses a service credential to access Zapper. This is expected for the stated API integration, but the key should be treated as sensitive.
Configure in `~/.config/zapper/addresses.json`: ... "apiKey": "your-api-key" ... Or set environment variable: `export ZAPPER_API_KEY="your-api-key"`
Use a dedicated Zapper API key, keep the config file private, prefer restrictive file permissions, and rotate the key if it is accidentally shared.
Queried wallet addresses can be associated with portfolio, NFT, transaction, and DeFi position lookups through Zapper, which may reveal sensitive financial interests.
Wallet addresses and GraphQL query variables are sent to Zapper with the API key. This is disclosed and purpose-aligned, but it means a third-party provider receives wallet lookup activity.
GRAPHQL_URL = "https://public.zapper.xyz/graphql" ... "x-zapper-api-key": api_key ... result = graphql_request(query, {"addresses": addresses, "first": limit})Only query wallets you are comfortable sending to Zapper, avoid sharing raw outputs publicly, and use explicit addresses when you do not want all configured wallets queried.