Stats
Actions
Tags
From alchemy-pack
Secures Alchemy-powered Web3 apps with best practices: API key protection via backend proxies, private key management, address/input validation using ethers, safe RPC calls.
How this skill is triggered — by the user, by Claude, or both
Slash command
/alchemy-pack:alchemy-security-basicsThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Web3 security practices for Alchemy-powered applications: API key protection, private key management, input validation, and smart contract interaction safety.
Web3 security practices for Alchemy-powered applications: API key protection, private key management, input validation, and smart contract interaction safety.
| Category | Requirement | Priority |
|---|---|---|
| API keys | Never expose in client-side code | Critical |
| Private keys | Use environment vars or secret manager | Critical |
| Addresses | Validate and checksum all inputs | High |
| RPC calls | Never pass user input directly to RPC | High |
| Webhooks | Verify HMAC signatures | High |
| Dependencies | Audit npm packages for supply chain | Medium |
// WRONG — API key in frontend code
// const alchemy = new Alchemy({ apiKey: 'demo123' }); // NEVER DO THIS
// RIGHT — API key in backend proxy
// src/api/proxy.ts
import express from 'express';
import { Alchemy, Network } from 'alchemy-sdk';
const app = express();
const alchemy = new Alchemy({
apiKey: process.env.ALCHEMY_API_KEY, // Server-side only
network: Network.ETH_MAINNET,
});
// Proxy endpoint — frontend calls this instead of Alchemy directly
app.get('/api/balance/:address', async (req, res) => {
const { address } = req.params;
if (!/^0x[a-fA-F0-9]{40}$/.test(address)) {
return res.status(400).json({ error: 'Invalid address format' });
}
const balance = await alchemy.core.getBalance(address);
res.json({ balance: balance.toString() });
});
// Alchemy Dashboard: restrict API key to specific domains/IPs
// Dashboard > App > Settings > Allowed Domains
// src/security/validators.ts
import { ethers } from 'ethers';
function validateAddress(input: string): string {
if (!ethers.isAddress(input)) throw new Error(`Invalid address: ${input}`);
return ethers.getAddress(input); // Returns checksummed address
}
function validateBlockNumber(input: string | number): string {
if (input === 'latest' || input === 'pending' || input === 'earliest') return input;
const num = typeof input === 'string' ? parseInt(input) : input;
if (isNaN(num) || num < 0) throw new Error(`Invalid block number: ${input}`);
return `0x${num.toString(16)}`;
}
function validateTokenId(input: string): string {
if (!/^\d+$/.test(input) && !input.startsWith('0x')) {
throw new Error(`Invalid token ID: ${input}`);
}
return input;
}
export { validateAddress, validateBlockNumber, validateTokenId };
// src/security/wallet-safety.ts
// NEVER:
// - Hardcode private keys in source code
// - Log private keys or mnemonic phrases
// - Store private keys in .env files committed to git
// - Accept private keys from user input in a web app
// Safe wallet setup for server-side operations
import { ethers } from 'ethers';
import { Alchemy, Network } from 'alchemy-sdk';
async function createSafeWallet() {
const alchemy = new Alchemy({
apiKey: process.env.ALCHEMY_API_KEY,
network: Network.ETH_SEPOLIA,
});
const provider = await alchemy.config.getProvider();
// Load private key from secret manager (GCP example)
const { SecretManagerServiceClient } = await import('@google-cloud/secret-manager');
const client = new SecretManagerServiceClient();
const [version] = await client.accessSecretVersion({
name: `projects/${process.env.GCP_PROJECT}/secrets/deployer-private-key/versions/latest`,
});
const privateKey = version.payload?.data?.toString() || '';
const wallet = new ethers.Wallet(privateKey, provider);
return wallet;
}
// src/security/webhook-verify.ts
import crypto from 'crypto';
function verifyAlchemyWebhookSignature(
body: string,
signature: string,
signingKey: string,
): boolean {
const hmac = crypto.createHmac('sha256', signingKey);
hmac.update(body, 'utf8');
const expectedSig = hmac.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expectedSig),
);
}
For production deployment, see alchemy-prod-checklist.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin alchemy-packInstalls Alchemy SDK and configures API key for Web3 blockchain access across Ethereum, Polygon, Arbitrum, Optimism, Base, and Solana.
Provides security checklists and patterns for authentication, user input validation (Zod), secrets management, API endpoints, file uploads, and payments.
Provides a security checklist covering secrets management, input validation, and SQL injection prevention. Includes code patterns and verification steps for common vulnerabilities.