alchemy-api
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides a shell script for automated API credential setup. This script fetches keys from a local CLI tool and persists them to a project .env file while automatically updating the .gitignore file to prevent accidental disclosure. These setup operations use standard system utilities and follow secure deployment practices.
- [SAFE]: The skill adheres to high security standards by explicitly instructing agents to never surface API keys in output. It includes proactive security warnings, advising developers to treat all external blockchain data (such as NFT metadata and webhook payloads) as untrusted and providing guidance on sanitization and proxying.
- [EXTERNAL_DOWNLOADS]: The skill references official Alchemy API infrastructure and documentation. The network operations described in the quickstart guides (such as curl requests to *.g.alchemy.com) target established vendor services for legitimate API integration and do not involve untrusted remote code execution.
- [PROMPT_INJECTION]: While the skill acknowledges surfaces for indirect prompt injection from external data sources (e.g., blockchain metadata), it provides comprehensive remediation guidance to mitigate these risks. The skill instructions themselves contain no behavioral overrides or safety filter bypasses.
Audit Metadata