ClawHub

zapper-api

v1.0.0

Query DeFi portfolios, token holdings, NFTs, transactions, and prices via Zapper API. Supports 50+ chains. Use when user asks about wallet balances, DeFi positions, NFT collections, token prices, or transaction history.

0· 1.3k·0 current·0 all-time
by@zivhm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and scripts/zapper.py all implement a Zapper GraphQL client. Requiring python3 and a ZAPPER_API_KEY is proportional and expected for this purpose; the only config path referenced (~/.config/zapper/addresses.json) is for wallet labels and an optional apiKey.
Instruction Scope
Runtime instructions and the script limit activity to resolving addresses, calling Zapper's public GraphQL endpoint, and printing JSON/text results. The SKILL.md does suggest storing the API key in ~/.config/zapper/addresses.json but also documents using the ZAPPER_API_KEY env var; there are no instructions to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
No install spec is provided (instruction-only plus a Python script). That is low-risk; the script uses only standard library urllib for network calls and requires python3 on PATH.
Credentials
Declared primaryEnv is ZAPPER_API_KEY and no other secrets are requested. The single API key is appropriate for a client that queries a remote API. The skill optionally reads a single user config file for wallets and an apiKey, which is reasonable but does mean the API key may be stored in plaintext if the user follows that config pattern.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. The script only reads the user's config file and environment; it does not write to system paths or alter other components.
Assessment
This skill appears to be a straightforward Zapper API client. Before installing, confirm you trust the publisher (source is listed as unknown) and prefer exporting ZAPPER_API_KEY as an environment variable rather than storing it in ~/.config/zapper/addresses.json if you want to avoid keeping the key in plaintext. Review the shipped scripts locally (scripts/zapper.py) yourself to verify there are no hidden network calls beyond https://public.zapper.xyz/graphql. Use a limited or free-tier API key where possible, and rotate/revoke the key if you stop using the skill or if you spot unexpected behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk974w680msax23ftm0xz9yp32x80j7hv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🟪 Clawdis
Binspython3
Primary envZAPPER_API_KEY

Comments