Real-time crypto token data, DeFi analytics, blockchain data, Twitter/X social intelligence, enhanced web search, crypto project search all in one Skill. For...
Security Analysis
medium confidenceThe skill's runtime instructions require sensitive credentials (API key, wallet private key, and Inflow keys) and installation steps that are not declared in the registry metadata, which is inconsistent and worth caution before use.
The skill description (crypto/DeFi analytics, mesh API) is plausible for needing an API key or payment method, but the published registry metadata declares no required environment variables or credentials while the SKILL.md explicitly instructs users to add HEURIST_API_KEY, WALLET_PRIVATE_KEY, or INFLOW_* keys to a .env file. The missing declared requirements are an incoherence: the skill will need secrets but metadata does not advertise them.
SKILL.md instructs the agent (and user) to read the project .env file to confirm credentials and to store private keys in that file. It also includes detailed multi-step payment flows (HTTP endpoints, on‑chain signing via cast/Foundry, and Inflow flows). These instructions cause the agent to access local files containing secrets and to construct signatures/payments; that is within the skill's stated purpose for payment-enabled calls, but it also grants the skill broad ability to read sensitive local credentials and to perform actions with them — and those actions are not reflected in the registry's declared requirements.
This is an instruction-only skill (no install spec). However the references describe installing Foundry/cast via curl | bash for x402 on-chain payments. Because the skill doesn't include an install block, that installation is left to the user/agent; it's a normal pattern but important to know (curl | bash installs have supply-chain risk).
The SKILL.md asks for three classes of sensitive credentials: HEURIST_API_KEY (expected), WALLET_PRIVATE_KEY (on‑chain payment — high privilege), and INFLOW_USER_ID/INFLOW_PRIVATE_KEY (payment). Requiring a wallet private key is proportionate if you choose the x402 flow, but the registry metadata did not declare any required env vars and the instructions ask the agent to read .env directly. Storing a raw private key in a project .env is risky; if you must use on‑chain payments, a dedicated ephemeral wallet or delegated signing is safer.
The skill does not request always:true and does not declare modifications to other skills or global config. Autonomous invocation is allowed (platform default) but not uniquely privileged here. The skill's runtime behavior doesn't request permanent system-level presence beyond reading .env and interacting with remote Mesh endpoints.
Guidance
This skill is plausible for crypto analytics but contains inconsistencies and sensitive steps you should review before installing: (1) The registry lists no required environment variables, yet SKILL.md instructs storing HEURIST_API_KEY, WALLET_PRIVATE_KEY, or INFLOW keys in a local .env — confirm the publisher and why the metadata omits these. (2) If you use the x402 flow, the skill asks you to place a wallet private key in plaintext in the project root; avoid using your primary wallet. Use an ephemeral wallet with minimal funds or prefer the API key or Inflow routes. (3) The x402 instructions recommend installing Foundry via curl | bash — that has supply-chain risk; audit the install source before running. (4) Ensure you trust the endpoints (mesh.heurist.xyz / mesh.heurist.ai) and verify the skill publisher identity (there's no homepage). (5) Ask the publisher to update registry metadata to declare required env vars and to provide a less-privileged payment option (delegated signing, wallet-connect, or Inflow-only) and to avoid instructing agents to read arbitrary local files. If you proceed, limit credentials, use throwaway wallets, and review network calls carefully.
Latest Release
v1.0.3
Version 1.0.3 - Overhauled setup instructions to include three payment options: Heurist API key, x402 on-chain (USDC), and Inflow (USDC agentic payment platform). - Added concise quickstart instructions and tool descriptions for all major agents. - Added references for payment setup: `heurist-api-key.md`, `x402-payment.md`, and `inflow-payment.md`. - Updated tool and agent documentation to highlight recommended and new capabilities. - Improved guidance for tool discovery, pricing, and schema inspection.
Popular Skills
Published by @wjw12 on ClawHub
