Skip to main content

moralis-streams-api

Enables real-time blockchain event monitoring with webhooks for tracking wallet addresses and token transfers across EVM chains.

Install this skill

or
0/100

Security score

The moralis-streams-api skill was audited on May 29, 2026 and we found 43 security issues across 4 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 205

Template literal with variable interpolation in command context

SourceSKILL.md
205```bash
medium line 60

Curl to non-GitHub URL

SourceSKILL.md
60curl "https://api.moralis-streams.com/streams/evm?limit=10" \
medium line 209

Curl to non-GitHub URL

SourceSKILL.md
209curl "https://api.moralis-streams.com/streams/evm?limit=100" \
medium line 213

Curl to non-GitHub URL

SourceSKILL.md
213curl -X PUT "https://api.moralis-streams.com/streams/evm" \
medium line 226

Curl to non-GitHub URL

SourceSKILL.md
226curl -X POST "https://api.moralis-streams.com/streams/evm/<stream_id>/status" \
medium line 299

Curl to non-GitHub URL

SourceSKILL.md
299curl -X PUT "https://api.moralis-streams.com/streams/evm" \
medium line 3

Webhook reference - potential data exfiltration

SourceSKILL.md
3description: Real-time blockchain event monitoring with webhooks. Use when user asks about setting up webhooks, real-time event streaming, monitoring wallet addresses, tracking token transfers in real
low line 142

Webhook reference - potential data exfiltration

SourceSKILL.md
142"error" // CORRECT - auto-set when webhook success rate <70%
medium line 156

Webhook reference - potential data exfiltration

SourceSKILL.md
1566. **Not returning 200 on test webhook** - Stream won't start unless your endpoint returns 2xx on the test webhook sent during create/update
medium line 164

Webhook reference - potential data exfiltration

SourceSKILL.md
164Enrich webhook data with on-chain reads (e.g., `balanceOf`). Triggers execute `view`/`pure` functions and attach results to webhook events. Supports dynamic selectors (`$contract`, `$from`, `$to`). Se
medium line 168

Webhook reference - potential data exfiltration

SourceSKILL.md
168## Native Balances in Webhooks
medium line 170

Webhook reference - potential data exfiltration

SourceSKILL.md
170Configure `getNativeBalances` to include native token balances (ETH, BNB, etc.) in webhook payloads. Requires Business plan+. See [references/UsefulStreamOptions.md](references/UsefulStreamOptions.md)
medium line 176

Webhook reference - potential data exfiltration

SourceSKILL.md
176- **Two webhooks per event**: Unconfirmed (`confirmed: false`) + Confirmed (`confirmed: true`). Idempotent handlers required.
medium line 177

Webhook reference - potential data exfiltration

SourceSKILL.md
177- **Streams auto-terminate after 24 hours in error state** (webhook success rate <70%). This is **unrecoverable** — you must create a new stream.
medium line 178

Webhook reference - potential data exfiltration

SourceSKILL.md
178- **Test webhook**: Sent on every create/update. Must return 200 or stream won't start.
medium line 184

Webhook reference - potential data exfiltration

SourceSKILL.md
184## Webhook Security
medium line 186

Webhook reference - potential data exfiltration

SourceSKILL.md
186Webhooks are signed with your streams secret (different from API key).
medium line 199

Webhook reference - potential data exfiltration

SourceSKILL.md
199See [references/WebhookSecurity.md](references/WebhookSecurity.md) for complete examples.
low line 206

Webhook reference - potential data exfiltration

SourceSKILL.md
206WEBHOOK_URL="https://your-server.com/webhook"
low line 217

Webhook reference - potential data exfiltration

SourceSKILL.md
217"webhookUrl": "'${WEBHOOK_URL}'",
medium line 238

Webhook reference - potential data exfiltration

SourceSKILL.md
238| "400 Bad Request" | Invalid config | Check webhookUrl, topic0 format, chainIds |
medium line 242

Webhook reference - potential data exfiltration

SourceSKILL.md
242| "No webhooks" | Stream paused | Check status is "active" |
medium line 268

Webhook reference - potential data exfiltration

SourceSKILL.md
268| [GetStreamBlockDataByNumber](rules/GetStreamBlockDataByNumber.md) | Get webhook data returned on the block number with provided stream config |
medium line 269

Webhook reference - potential data exfiltration

SourceSKILL.md
269| [GetStreamBlockDataToWebhookByNumber](rules/GetStreamBlockDataToWebhookByNumber.md) | Send webhook based on a specific block number using stream config and addresses. |
low line 303

Webhook reference - potential data exfiltration

SourceSKILL.md
303"webhookUrl": "https://your-server.com/webhook",
medium line 343

Webhook reference - potential data exfiltration

SourceSKILL.md
343- [references/DeliveryGuarantees.md](references/DeliveryGuarantees.md) - At-least-once delivery, dual webhooks, confirmation blocks, test webhooks
medium line 346

Webhook reference - potential data exfiltration

SourceSKILL.md
346- [references/FilterStreams.md](references/FilterStreams.md) - Webhook data filtering to reduce noise
medium line 349

Webhook reference - potential data exfiltration

SourceSKILL.md
349- [references/ReplayFailedWebhooks.md](references/ReplayFailedWebhooks.md) - Replay failed webhook guide
medium line 354

Webhook reference - potential data exfiltration

SourceSKILL.md
354- [references/WebhookResponseBody.md](references/WebhookResponseBody.md) - Webhook payload structure
medium line 355

Webhook reference - potential data exfiltration

SourceSKILL.md
355- [references/WebhookSecurity.md](references/WebhookSecurity.md) - Signature verification
medium line 45

Access to .env file

SourceSKILL.md
452. If not set, offer to create the `.env` file with an empty placeholder: `MORALIS_API_KEY=`
medium line 46

Access to .env file

SourceSKILL.md
463. Tell the user to open the `.env` file and paste their key there themselves.
medium line 53

Access to .env file

SourceSKILL.md
53The `.env` file location depends on how skills are installed:
medium line 55

Access to .env file

SourceSKILL.md
55Create the `.env` file in the project root (same directory the user runs Claude Code from). Make sure `.env` is in `.gitignore`.
low line 49

External URL reference

SourceSKILL.md
49If they don't have a key yet, point them to [admin.moralis.com/register](https://admin.moralis.com/register) (free, no credit card).
low line 60

External URL reference

SourceSKILL.md
60curl "https://api.moralis-streams.com/streams/evm?limit=10" \
low line 69

External URL reference

SourceSKILL.md
69https://api.moralis-streams.com
low line 206

External URL reference

SourceSKILL.md
206WEBHOOK_URL="https://your-server.com/webhook"
low line 209

External URL reference

SourceSKILL.md
209curl "https://api.moralis-streams.com/streams/evm?limit=100" \
low line 213

External URL reference

SourceSKILL.md
213curl -X PUT "https://api.moralis-streams.com/streams/evm" \
low line 226

External URL reference

SourceSKILL.md
226curl -X POST "https://api.moralis-streams.com/streams/evm/<stream_id>/status" \
low line 299

External URL reference

SourceSKILL.md
299curl -X PUT "https://api.moralis-streams.com/streams/evm" \
low line 303

External URL reference

SourceSKILL.md
303"webhookUrl": "https://your-server.com/webhook",
Scanned on May 29, 2026
View Security Dashboard
Installation guide →
GitHub Stars 57
Rate this skill
Categorydevelopment
UpdatedJune 10, 2026
openclawapibackenddata-engineerml-ai-engineerbackend-developerproduct-managergrowth-marketerdevelopmentproductmarketing
jiayaoqijia/cryptoskill