← 返回 Skills 市场
Zapper
作者
Spiros Raptis
· GitHub ↗
· v1.0.0
2020
总下载
1
收藏
9
当前安装
1
版本数
在 OpenClaw 中安装
/install zapper
功能描述
Query DeFi portfolio data across 50+ chains via Zapper's GraphQL API. Use when the user wants to check wallet balances, DeFi positions, NFT holdings, token prices, or transaction history. Supports Base, Ethereum, Polygon, Arbitrum, Optimism, and more. Requires ZAPPER_API_KEY.
安全使用建议
This skill's code appears to implement exactly what it claims (calls Zapper's public GraphQL endpoint), but there are transparency and metadata issues you should address before installing:
- The skill requires a Zapper API key stored at ~/.clawdbot/skills/zapper/config.json, but the registry metadata does not declare this credential. Treat the API key like a secret: only install if you trust the skill's source.
- Inspect the bundled script yourself (scripts/zapper.sh). It sends POST requests only to https://public.zapper.xyz and formats results locally — no other external endpoints are contacted.
- Because disable-model-invocation is not set, the model may be able to call this skill autonomously. If you do not want that, set disable-model-invocation:true or only invoke the skill manually.
- Set the config file permissions to be readable only by your user (chmod 600 ~/.clawdbot/skills/zapper/config.json) so the key is not exposed to other users on the system.
- The declared required binaries include jq but the script uses python3 for JSON parsing; this is likely harmless but indicates the metadata may be out of sync. Consider running the script locally to confirm behavior before giving it any real API keys.
- If you need stronger assurance, ask the publisher for a verifiable source (repo or homepage) or a maintainer signature; the registry lists an owner id and no homepage. If you can't verify the origin, avoid storing sensitive keys for long periods or prefer using a dedicated, scoped API key with minimal privileges.
功能分析
Type: OpenClaw Skill
Name: zapper
Version: 1.0.0
The skill bundle is benign. It is designed to query DeFi portfolio data via the Zapper GraphQL API. The `scripts/zapper.sh` script correctly uses `curl` to interact with the legitimate Zapper API endpoint (`https://public.zapper.xyz/graphql`) and `python3` for safe JSON parsing and output formatting. The API key is stored in a dedicated configuration file (`~/.clawdbot/skills/zapper/config.json`) and accessed securely. There is no evidence of data exfiltration, malicious execution, persistence, obfuscation, or prompt injection against the agent. All actions are aligned with the stated purpose.
能力评估
Purpose & Capability
The script implements GraphQL calls to https://public.zapper.xyz and returns portfolio, tokens, NFTs, txs, prices, and claimables — which matches the skill description. However, the registry metadata lists no required credentials while SKILL.md and the script require a Zapper API key stored in ~/.clawdbot/skills/zapper/config.json. Also the declared required binaries include jq but the shipped script uses python3 for JSON parsing and does not actually call jq.
Instruction Scope
Runtime instructions and the shell script confine operations to: reading a config file under the user's home (~/.clawdbot/skills/zapper/config.json), making POST requests to public.zapper.xyz, and formatting output locally. The instructions do not direct the agent to read arbitrary system files, other environment variables, or send data to unexpected endpoints.
Install Mechanism
There is no installer — this is instruction + a script bundled with the skill. That is low-risk compared with fetching and executing remote code. The included script is readable and uses standard tools (curl, python3).
Credentials
The skill needs a Zapper API key, but the registry metadata did not declare a primaryEnv or required env vars — the key is instead stored in a local config file. This mismatch is a transparency issue: the skill requires a secret but the platform metadata doesn't list it. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not marked always:true (so it won't be forced into every agent), but disable-model-invocation is not set — meaning the model may be allowed to invoke the skill autonomously. If you allow model-autonomy, the skill (and any stored API key) could be used without further prompts. The skill does not request elevated system privileges or unusual config paths.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zapper - 安装完成后,直接呼叫该 Skill 的名称或使用
/zapper触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
DeFi portfolio tracking across 50+ chains
元数据
常见问题
Zapper 是什么?
Query DeFi portfolio data across 50+ chains via Zapper's GraphQL API. Use when the user wants to check wallet balances, DeFi positions, NFT holdings, token prices, or transaction history. Supports Base, Ethereum, Polygon, Arbitrum, Optimism, and more. Requires ZAPPER_API_KEY. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2020 次。
如何安装 Zapper?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zapper」即可一键安装,无需额外配置。
Zapper 是免费的吗?
是的,Zapper 完全免费(开源免费),可自由下载、安装和使用。
Zapper 支持哪些平台?
Zapper 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Zapper?
由 Spiros Raptis(@spirosrap)开发并维护,当前版本 v1.0.0。
推荐 Skills