← Back to Skills Marketplace
Zapper
by
Spiros Raptis
· GitHub ↗
· v1.0.0
2020
Downloads
1
Stars
9
Active Installs
1
Versions
Install in OpenClaw
/install zapper
Description
Query DeFi portfolio data across 50+ chains via Zapper's GraphQL API. Use when the user wants to check wallet balances, DeFi positions, NFT holdings, token prices, or transaction history. Supports Base, Ethereum, Polygon, Arbitrum, Optimism, and more. Requires ZAPPER_API_KEY.
Usage Guidance
This skill's code appears to implement exactly what it claims (calls Zapper's public GraphQL endpoint), but there are transparency and metadata issues you should address before installing:
- The skill requires a Zapper API key stored at ~/.clawdbot/skills/zapper/config.json, but the registry metadata does not declare this credential. Treat the API key like a secret: only install if you trust the skill's source.
- Inspect the bundled script yourself (scripts/zapper.sh). It sends POST requests only to https://public.zapper.xyz and formats results locally — no other external endpoints are contacted.
- Because disable-model-invocation is not set, the model may be able to call this skill autonomously. If you do not want that, set disable-model-invocation:true or only invoke the skill manually.
- Set the config file permissions to be readable only by your user (chmod 600 ~/.clawdbot/skills/zapper/config.json) so the key is not exposed to other users on the system.
- The declared required binaries include jq but the script uses python3 for JSON parsing; this is likely harmless but indicates the metadata may be out of sync. Consider running the script locally to confirm behavior before giving it any real API keys.
- If you need stronger assurance, ask the publisher for a verifiable source (repo or homepage) or a maintainer signature; the registry lists an owner id and no homepage. If you can't verify the origin, avoid storing sensitive keys for long periods or prefer using a dedicated, scoped API key with minimal privileges.
Capability Analysis
Type: OpenClaw Skill
Name: zapper
Version: 1.0.0
The skill bundle is benign. It is designed to query DeFi portfolio data via the Zapper GraphQL API. The `scripts/zapper.sh` script correctly uses `curl` to interact with the legitimate Zapper API endpoint (`https://public.zapper.xyz/graphql`) and `python3` for safe JSON parsing and output formatting. The API key is stored in a dedicated configuration file (`~/.clawdbot/skills/zapper/config.json`) and accessed securely. There is no evidence of data exfiltration, malicious execution, persistence, obfuscation, or prompt injection against the agent. All actions are aligned with the stated purpose.
Capability Assessment
Purpose & Capability
The script implements GraphQL calls to https://public.zapper.xyz and returns portfolio, tokens, NFTs, txs, prices, and claimables — which matches the skill description. However, the registry metadata lists no required credentials while SKILL.md and the script require a Zapper API key stored in ~/.clawdbot/skills/zapper/config.json. Also the declared required binaries include jq but the shipped script uses python3 for JSON parsing and does not actually call jq.
Instruction Scope
Runtime instructions and the shell script confine operations to: reading a config file under the user's home (~/.clawdbot/skills/zapper/config.json), making POST requests to public.zapper.xyz, and formatting output locally. The instructions do not direct the agent to read arbitrary system files, other environment variables, or send data to unexpected endpoints.
Install Mechanism
There is no installer — this is instruction + a script bundled with the skill. That is low-risk compared with fetching and executing remote code. The included script is readable and uses standard tools (curl, python3).
Credentials
The skill needs a Zapper API key, but the registry metadata did not declare a primaryEnv or required env vars — the key is instead stored in a local config file. This mismatch is a transparency issue: the skill requires a secret but the platform metadata doesn't list it. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not marked always:true (so it won't be forced into every agent), but disable-model-invocation is not set — meaning the model may be allowed to invoke the skill autonomously. If you allow model-autonomy, the skill (and any stored API key) could be used without further prompts. The skill does not request elevated system privileges or unusual config paths.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zapper - After installation, invoke the skill by name or use
/zapper - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
DeFi portfolio tracking across 50+ chains
Metadata
Frequently Asked Questions
What is Zapper?
Query DeFi portfolio data across 50+ chains via Zapper's GraphQL API. Use when the user wants to check wallet balances, DeFi positions, NFT holdings, token prices, or transaction history. Supports Base, Ethereum, Polygon, Arbitrum, Optimism, and more. Requires ZAPPER_API_KEY. It is an AI Agent Skill for Claude Code / OpenClaw, with 2020 downloads so far.
How do I install Zapper?
Run "/install zapper" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Zapper free?
Yes, Zapper is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Zapper support?
Zapper is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Zapper?
It is built and maintained by Spiros Raptis (@spirosrap); the current version is v1.0.0.
More Skills