Token Research

What to check before installing: - Ask the publisher to declare required environment variables (at minimum: TWITTERAPI_KEY and any block-explorer API keys) in the skill metadata. Right now the skill references $TWITTERAPI_KEY but requires.env is empty. - Inspect the '~/workspace/scripts/ape-call.sh' referenced by the skill (or any 'call owner' mechanism). That script will be executed (or the skill will attempt to call it). Verify it does not exfiltrate research data or contact unknown endpoints. - Confirm how 'call owner' and 'send DM' steps are implemented and whether messaging credentials (Telegram/Discord/WhatsApp tokens) are needed — these are not declared. Do not grant messaging credentials until you verify the owner endpoint and message contents. - The skill instructs spawning parallel sub-agents and auto-deep-diving top picks. If you want to avoid autonomous multi-agent or background activity, restrict the skill's autonomous invocation or disable batch auto-deep-dive behavior. - The skill writes reports and appends watchlists under reports/ and watchlists/. Ensure you run it in an isolated workspace or that you trust these files will be appended only as described (the skill mandates 'APPEND only — never overwrite'). - Because the script makes many outbound network calls, review rate-limit and API-key usage (Etherscan/GoPlus) to avoid unexpected failures or leaking keys in logs. - If you are unsure about the owner or scripts, run the included fetch_token_data.sh in a sandboxed environment first and/or request the author to remove mandatory 'call owner' commands or to make owner notification optional. Bottom line: functionality is plausible for token research, but missing environment/credential declarations and mandatory 'call owner' outbound actions are red flags you should resolve before installing or enabling autonomous use.