功能描述

Use Bitquery GraphQL through UXC for onchain trades, transfers, token holder analysis, balances, and market structure queries across supported networks, with...

使用说明 (SKILL.md)

Bitquery GraphQL Skill

Name: Bitquery GraphQL Skill
Author: jolestar

Use this skill to run Bitquery GraphQL API operations through uxc.

Reuse the uxc skill for discovery, GraphQL execution, OAuth lifecycle, and generic error handling.

Prerequisites

uxc is installed and available in PATH.
Network access to https://streaming.bitquery.io/graphql.
A Bitquery application client_id and client_secret are available.

Authentication

Bitquery uses bearer access tokens. The most stable agent path is OAuth client_credentials, not a copied temporary token.

Create a Bitquery application and note:
- application client_id
- application client_secret
- token scope api
Login once with OAuth client credentials:
- uxc auth oauth login bitquery-graphql --endpoint https://streaming.bitquery.io/graphql --flow client_credentials --client-id \x3Cclient_id> --client-secret \x3Cclient_secret> --scope api --token-endpoint https://oauth2.bitquery.io/oauth2/token
- This flow completes in one command. No browser approval page is required.
Bind the GraphQL endpoint:
- uxc auth binding add --id bitquery-graphql --host streaming.bitquery.io --path-prefix /graphql --scheme https --credential bitquery-graphql --priority 100
Verify auth mapping:
- uxc auth binding match https://streaming.bitquery.io/graphql
- uxc auth oauth info bitquery-graphql

Core Workflow

Use fixed link command by default:
- command -v bitquery-graphql-cli
- If missing, create it: uxc link bitquery-graphql-cli https://streaming.bitquery.io/graphql
- bitquery-graphql-cli -h
- If command conflict is detected and cannot be safely reused, stop and ask skill maintainers to pick another fixed command name.
Discover available root operations:
- bitquery-graphql-cli -h
- Verified roots currently include query/EVM, query/Solana, query/Trading, query/Tron, and matching subscription/* roots.
Inspect a specific operation:
- bitquery-graphql-cli query/EVM -h
- bitquery-graphql-cli query/Trading -h
Execute with positional JSON and explicit GraphQL selection sets:
- bitquery-graphql-cli query/EVM '{"network":"base","dataset":"combined","_select":"DEXTrades(limit: {count: 1}) { Transaction { Hash } }"}'
Prefer query/* operations first.
- uxc subscribe now auto-negotiates modern graphql-transport-ws and legacy graphql-ws compatibility profiles for subscription/*.
- Live Bitquery subscription validation now succeeds when you provide an explicit _select that matches a stream-friendly entity shape.
- Prefer subscription/EVM as the first validation target rather than subscription/Trading.

Capability Map

EVM onchain queries:
- query/EVM
- subscription/EVM
Solana onchain queries:
- query/Solana
- subscription/Solana
Cross-market / trading queries:
- query/Trading
- subscription/Trading
Tron onchain queries:
- query/Tron
- subscription/Tron

Within those roots, Bitquery exposes entities for tasks such as:

DEX trades
token balances and holder analysis
transfers
blocks and transactions
mempool and realtime activity
market or trading views depending on the root

Always inspect the current schema with -h and use the narrowest _select needed.

For subscriptions specifically:

always provide _select
start with a high-frequency root such as subscription/EVM
prefer direct event shapes before adding limit
treat empty selections or query-oriented shapes as likely application-level errors

Recommended Usage Pattern

Inspect root arguments first:
- bitquery-graphql-cli query/EVM -h
Start with a minimal query on one network:
- bitquery-graphql-cli query/EVM '{"network":"eth","dataset":"combined","_select":"DEXTrades(limit: {count: 1}) { Transaction { Hash } }"}'
Add only the fields needed for the task:
- buyers / sellers
- token addresses
- symbols
- amounts
- timestamps
Narrow with GraphQL arguments inside _select:
- limit
- orderBy
- where
Treat large or realtime queries carefully:
- avoid wide selections
- prefer one chain / token / wallet at a time on first pass
For live subscriptions, start with a known-good high-frequency shape:
- ./target/debug/uxc subscribe start https://streaming.bitquery.io/graphql subscription/EVM '{"network":"bsc","mempool":true,"_select":"Transfers { Transaction { Hash From To } Transfer { Amount Type Currency { Name } } }"}' --auth bitquery-graphql --sink file:$HOME/.uxc/subscriptions/bitquery-mempool.ndjson

Tested Real Scenario

The following authenticated Bitquery flow was verified successfully through uxc:

OAuth login with client_credentials
auth binding on https://streaming.bitquery.io/graphql
GraphQL host help
query/EVM -h
authenticated query/EVM call on base
daemon-backed subscription/EVM over WebSocket against live Bitquery infra
repeated live data events from a BSC mempool transfer stream

The verified query shape was:

{
  "network": "base",
  "dataset": "combined",
  "_select": "DEXTrades(limit: {count: 1}) { Block { Time } Transaction { Hash } Trade { Buy { Amount Buyer Currency { Symbol SmartContract } } Sell { Amount Seller Currency { Symbol SmartContract } } } }"
}

The verified subscription shape was:

{
  "network": "bsc",
  "mempool": true,
  "_select": "Transfers { Transaction { Hash From To } Transfer { Amount Type Currency { Name } } }"
}

Guardrails

Keep automation on JSON output envelope; do not rely on --text.
Parse stable fields first: ok, kind, protocol, data, error.
Use bitquery-graphql-cli as the default command path.
bitquery-graphql-cli \x3Coperation> ... is equivalent to uxc https://streaming.bitquery.io/graphql \x3Coperation> ....
Prefer positional JSON for GraphQL calls because _select is usually required.
Keep _select small on first pass and add explicit filters before expanding scope.
Prefer query/* for stable agent workflows. subscription/* is now validated at runtime, but still depends on provider-specific selection shape.
For subscription validation or automation, start with subscription/EVM and an explicit _select; do not assume an empty selection or subscription/Trading default shape will yield events.
If a subscription opens successfully but immediately returns GraphQL errors, treat that as a query-shape problem before assuming transport failure.
If auth fails:
- confirm uxc auth binding match https://streaming.bitquery.io/graphql resolves to bitquery-graphql
- inspect token state with uxc auth oauth info bitquery-graphql
- manually refresh with uxc auth oauth refresh bitquery-graphql
- if needed, rerun uxc auth oauth login ... --flow client_credentials ...
Do not paste temporary IDE tokens into long-lived skill docs. Prefer application-based client_credentials.

References

Invocation patterns:
- references/usage-patterns.md

安全使用建议

This skill appears to do what it says (query Bitquery through the uxc CLI), but review the following before installing: 1) Ensure you trust the skill source — no homepage or upstream source is provided. 2) Install and verify the uxc CLI yourself; the skill assumes uxc is on PATH but metadata doesn't declare it. 3) Do not provide client_secret on the command line as the docs show — that exposes it in process lists and shell history. Prefer logging in with a secure mechanism (uxc credential store, environment variables, or a prompt that doesn't record the secret). 4) Understand that auth bindings and tokens will be persisted into your uxc config (expected for API access). 5) If you need higher assurance, ask the maintainer to: declare uxc as a required binary, provide a homepage/source repo, and update docs to avoid passing secrets via CLI args. If you cannot verify the maintainer or the source, treat the skill with caution and avoid entering production credentials until you confirm it is trustworthy.

功能分析

Type: OpenClaw Skill Name: bitquery-graphql-skill Version: 1.0.1 The skill bundle provides a legitimate integration for the Bitquery GraphQL API using the 'uxc' utility. It contains standard instructions for OAuth authentication, command linking, and blockchain data querying (EVM, Solana, etc.). The included validation script (scripts/validate.sh) is a functional linter for the bundle's documentation, and no evidence of malicious intent, data exfiltration, or harmful prompt injection was found.

能力评估

ℹ Purpose & Capability

The name/description (Bitquery GraphQL) align with the instructions (using uxc to call streaming.bitquery.io/graphql). The skill legitimately needs Bitquery OAuth client_id/client_secret and network access to Bitquery. Minor inconsistency: the skill runtime requires the 'uxc' CLI in PATH, but registry metadata lists no required binaries; the package should declare uxc as a required binary to avoid surprise failures.

⚠ Instruction Scope

SKILL.md instructs the agent to run uxc auth flows, create auth bindings, link a fixed command name, inspect schemas, and start subscriptions including writing subscription output to $HOME/.uxc/subscriptions/.... Those actions are consistent with the stated purpose, but the doc tells users to run `uxc auth oauth login ... --client-secret <client_secret>` (passing secrets on the command line). That exposes secrets to process args and shell history. The instructions also create persistent auth bindings in the user's uxc credential store (expected for this use case but worth noting). There are no instructions to read or exfiltrate unrelated system files.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no downloads — lowest-risk install mechanism. The included validate.sh is a developer-side check and not executed by the skill at runtime. No external or opaque download URLs are present.

ℹ Credentials

The skill legitimately requires Bitquery application credentials (client_id and client_secret) for OAuth client_credentials flow. The registry metadata does not declare any required env vars or a primary credential; that's not fatal but reduces transparency. The only sensitive material the skill needs is the Bitquery client credentials; it does not request unrelated credentials. However, the recommended CLI usage pattern passes the client_secret on the command line (insecure); the skill should instead recommend using a secure credential store or environment variables and avoid exposing secrets in shell history.

✓ Persistence & Privilege

always is false and the skill does not request elevated platform privileges. It instructs creating auth bindings and storing tokens in uxc's credential store, which is normal for an API-integration skill. The skill does not modify other skills' configurations or request system-wide changes beyond using uxc and writing subscription sink files in the user's home directory.

版本历史

v1.0.1

Document validated GraphQL subscription flows.

v1.0.0

Initial release of bitquery-graphql-skill. - Enables authenticated access to Bitquery GraphQL APIs for onchain data, trading, and analytics across EVM, Solana, Tron, and more. - Integrates with `uxc` for OAuth client_credentials authentication, endpoint discovery, and error handling. - Provides command-line workflow via a fixed `bitquery-graphql-cli` command. - Supports root queries for DEX trades, transfers, token holders, and market structure. - Includes guidance for setup, minimal queries, filtering, and agent-safe usage patterns.

元数据

Slug bitquery-graphql-skill

版本 1.0.1

许可证 MIT-0

累计安装 2

当前安装数 2

历史版本数 2

常见问题