Zapper
v1.0.0Query DeFi portfolio data across 50+ chains via Zapper's GraphQL API. Use when the user wants to check wallet balances, DeFi positions, NFT holdings, token prices, or transaction history. Supports Base, Ethereum, Polygon, Arbitrum, Optimism, and more. Requires ZAPPER_API_KEY.
⭐ 1· 1.9k·9 current·10 all-time
bySpiros Raptis@spirosrap
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The script implements GraphQL calls to https://public.zapper.xyz and returns portfolio, tokens, NFTs, txs, prices, and claimables — which matches the skill description. However, the registry metadata lists no required credentials while SKILL.md and the script require a Zapper API key stored in ~/.clawdbot/skills/zapper/config.json. Also the declared required binaries include jq but the shipped script uses python3 for JSON parsing and does not actually call jq.
Instruction Scope
Runtime instructions and the shell script confine operations to: reading a config file under the user's home (~/.clawdbot/skills/zapper/config.json), making POST requests to public.zapper.xyz, and formatting output locally. The instructions do not direct the agent to read arbitrary system files, other environment variables, or send data to unexpected endpoints.
Install Mechanism
There is no installer — this is instruction + a script bundled with the skill. That is low-risk compared with fetching and executing remote code. The included script is readable and uses standard tools (curl, python3).
Credentials
The skill needs a Zapper API key, but the registry metadata did not declare a primaryEnv or required env vars — the key is instead stored in a local config file. This mismatch is a transparency issue: the skill requires a secret but the platform metadata doesn't list it. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not marked always:true (so it won't be forced into every agent), but disable-model-invocation is not set — meaning the model may be allowed to invoke the skill autonomously. If you allow model-autonomy, the skill (and any stored API key) could be used without further prompts. The skill does not request elevated system privileges or unusual config paths.
What to consider before installing
This skill's code appears to implement exactly what it claims (calls Zapper's public GraphQL endpoint), but there are transparency and metadata issues you should address before installing:
- The skill requires a Zapper API key stored at ~/.clawdbot/skills/zapper/config.json, but the registry metadata does not declare this credential. Treat the API key like a secret: only install if you trust the skill's source.
- Inspect the bundled script yourself (scripts/zapper.sh). It sends POST requests only to https://public.zapper.xyz and formats results locally — no other external endpoints are contacted.
- Because disable-model-invocation is not set, the model may be able to call this skill autonomously. If you do not want that, set disable-model-invocation:true or only invoke the skill manually.
- Set the config file permissions to be readable only by your user (chmod 600 ~/.clawdbot/skills/zapper/config.json) so the key is not exposed to other users on the system.
- The declared required binaries include jq but the script uses python3 for JSON parsing; this is likely harmless but indicates the metadata may be out of sync. Consider running the script locally to confirm behavior before giving it any real API keys.
- If you need stronger assurance, ask the publisher for a verifiable source (repo or homepage) or a maintainer signature; the registry lists an owner id and no homepage. If you can't verify the origin, avoid storing sensitive keys for long periods or prefer using a dedicated, scoped API key with minimal privileges.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis
Binscurl, jq, python3
SKILL.md
Zapper Skill
Query DeFi portfolio data across 50+ chains via Zapper's GraphQL API.
Quick Start
Setup
Get your API key from Zapper Dashboard (free tier available):
mkdir -p ~/.clawdbot/skills/zapper
cat > ~/.clawdbot/skills/zapper/config.json << 'EOF'
{
"apiKey": "YOUR_ZAPPER_API_KEY"
}
EOF
Basic Usage
# Portfolio summary
scripts/zapper.sh portfolio 0x...
# Token holdings
scripts/zapper.sh tokens 0x...
# DeFi positions
scripts/zapper.sh apps 0x...
# NFT holdings
scripts/zapper.sh nfts 0x...
# Token price
scripts/zapper.sh price ETH
# Recent transactions
scripts/zapper.sh tx 0x...
# Unclaimed rewards
scripts/zapper.sh claimables 0x...
Commands
| Command | Description | Example |
|---|---|---|
portfolio <address> | Token balances + totals across all chains | zapper.sh portfolio 0x123... |
tokens <address> | Detailed token holdings | zapper.sh tokens 0x123... |
apps <address> | DeFi positions (LPs, lending, staking) | zapper.sh apps 0x123... |
nfts <address> | NFT holdings | zapper.sh nfts 0x123... |
price <symbol> | Token price lookup | zapper.sh price ETH |
tx <address> | Recent transactions (human-readable) | zapper.sh tx 0x123... |
claimables <address> | Unclaimed rewards | zapper.sh claimables 0x123... |
Supported Networks
Zapper supports 50+ chains including:
- Ethereum
- Base
- Polygon
- Arbitrum
- Optimism
- Avalanche
- BNB Chain
- zkSync
- Linea
- Scroll
- And more...
Use Cases
- Portfolio tracking: Aggregate all DeFi positions across chains
- Yield hunting: Check claimables and unclaimed rewards
- NFT portfolio: Track NFT holdings across marketplaces
- Transaction history: Human-readable on-chain activity
- Token prices: Quick price lookups
API Reference
All endpoints use POST https://public.zapper.xyz/graphql with GraphQL queries.
See references/api.md for full API documentation.
Requirements
curl- HTTP requestsjq- JSON parsingpython3- Formatting output- Zapper API key (free tier available)
Notes
- API key is required for all endpoints
- Rate limits apply based on your Zapper plan
- GraphQL queries allow flexible data selection
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…