From alchemy-pack
Applies Web3 security best practices for Alchemy-powered apps: API key protection, private key management, input validation, and dApp hardening.
How this skill is triggered — by the user, by Claude, or both
Slash command
/alchemy-pack:alchemy-security-basicsThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Web3 security practices for Alchemy-powered applications: API key protection, private key management, input validation, and smart contract interaction safety.
Web3 security practices for Alchemy-powered applications: API key protection, private key management, input validation, and smart contract interaction safety.
| Category | Requirement | Priority |
|---|---|---|
| API keys | Never expose in client-side code | Critical |
| Private keys | Use environment vars or secret manager | Critical |
| Addresses | Validate and checksum all inputs | High |
| RPC calls | Never pass user input directly to RPC | High |
| Webhooks | Verify HMAC signatures | High |
| Dependencies | Audit npm packages for supply chain | Medium |
// WRONG — API key in frontend code
// const alchemy = new Alchemy({ apiKey: 'demo123' }); // NEVER DO THIS
// RIGHT — API key in backend proxy
// src/api/proxy.ts
import express from 'express';
import { Alchemy, Network } from 'alchemy-sdk';
const app = express();
const alchemy = new Alchemy({
apiKey: process.env.ALCHEMY_API_KEY, // Server-side only
network: Network.ETH_MAINNET,
});
// Proxy endpoint — frontend calls this instead of Alchemy directly
app.get('/api/balance/:address', async (req, res) => {
const { address } = req.params;
if (!/^0x[a-fA-F0-9]{40}$/.test(address)) {
return res.status(400).json({ error: 'Invalid address format' });
}
const balance = await alchemy.core.getBalance(address);
res.json({ balance: balance.toString() });
});
// Alchemy Dashboard: restrict API key to specific domains/IPs
// Dashboard > App > Settings > Allowed Domains
// src/security/validators.ts
import { ethers } from 'ethers';
function validateAddress(input: string): string {
if (!ethers.isAddress(input)) throw new Error(`Invalid address: ${input}`);
return ethers.getAddress(input); // Returns checksummed address
}
function validateBlockNumber(input: string | number): string {
if (input === 'latest' || input === 'pending' || input === 'earliest') return input;
const num = typeof input === 'string' ? parseInt(input) : input;
if (isNaN(num) || num < 0) throw new Error(`Invalid block number: ${input}`);
return `0x${num.toString(16)}`;
}
function validateTokenId(input: string): string {
if (!/^\d+$/.test(input) && !input.startsWith('0x')) {
throw new Error(`Invalid token ID: ${input}`);
}
return input;
}
export { validateAddress, validateBlockNumber, validateTokenId };
// src/security/wallet-safety.ts
// NEVER:
// - Hardcode private keys in source code
// - Log private keys or mnemonic phrases
// - Store private keys in .env files committed to git
// - Accept private keys from user input in a web app
// Safe wallet setup for server-side operations
import { ethers } from 'ethers';
import { Alchemy, Network } from 'alchemy-sdk';
async function createSafeWallet() {
const alchemy = new Alchemy({
apiKey: process.env.ALCHEMY_API_KEY,
network: Network.ETH_SEPOLIA,
});
const provider = await alchemy.config.getProvider();
// Load private key from secret manager (GCP example)
const { SecretManagerServiceClient } = await import('@google-cloud/secret-manager');
const client = new SecretManagerServiceClient();
const [version] = await client.accessSecretVersion({
name: `projects/${process.env.GCP_PROJECT}/secrets/deployer-private-key/versions/latest`,
});
const privateKey = version.payload?.data?.toString() || '';
const wallet = new ethers.Wallet(privateKey, provider);
return wallet;
}
// src/security/webhook-verify.ts
import crypto from 'crypto';
function verifyAlchemyWebhookSignature(
body: string,
signature: string,
signingKey: string,
): boolean {
const hmac = crypto.createHmac('sha256', signingKey);
hmac.update(body, 'utf8');
const expectedSig = hmac.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expectedSig),
);
}
For production deployment, see alchemy-prod-checklist.
2plugins reuse this skill
First indexed Jul 18, 2026
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin alchemy-packInstalls Alchemy SDK and configures API key for Web3 blockchain access across Ethereum, Polygon, Arbitrum, Optimism, Base, and Solana.
Provides a security checklist covering secrets management, input validation, SQL injection prevention, and API endpoint security. Activates when adding auth, handling user input, working with secrets, or implementing payment features.
Provides security checklist and patterns for authentication, user input, secrets, API endpoints, payment/sensitive features.