ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ATXSwap

v0.0.6

Manage ATX on BSC with wallet creation, price and balance queries, PancakeSwap V3 swaps, liquidity operations, and BNB/ERC20 transfers. Use when the user men...

0· 106·0 current·0 all-time
byatxswap@agentswapx

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for agentswapx/atxswap.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "ATXSwap" (agentswapx/atxswap) from ClawHub.
Skill page: https://clawhub.ai/agentswapx/atxswap
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node, npm
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install agentswapx/atxswap

ClawHub CLI

Package manager switcher

npx clawhub@latest install atxswap
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (ATX on BSC: wallet, price/quote, swaps, liquidity, transfers) match the shipped scripts and dependency on atxswap-sdk. Required binaries (node, npm) are appropriate and there are no unrelated credentials requested.
Instruction Scope
SKILL.md explicitly instructs running npm install and the provided node scripts. The scripts only perform wallet, query, swap, liquidity, and transfer actions through the SDK and read/write under the skill and the user's home config; they do not attempt to read unrelated system files or transmit data to unexpected external endpoints.
Install Mechanism
No custom download/install URL is used; dependencies are pulled from npm (package.json/package-lock). That is expected for a Node-based wallet skill. No archive-from-unknown-host or ad-hoc remote executable downloads observed.
Credentials
The skill declares no required env vars but supports an optional BSC_RPC_URL. It stores keystore and 'secure' files under ~/.config/atxswap/ (master.key + secrets.json per docs) and auto-saves wallet passwords via the SDK; that local secret storage is proportionate to a wallet skill but is not declared in the registry metadata's 'required config paths' (metadata showed none). Users should be aware the skill will create and manage on-disk keystore and password storage in the user's home directory.
Persistence & Privilege
The skill is not always-enabled and does not change other skill configs. It does create and persist wallet keystore and saved-password data under the user's home (~/.config/atxswap/), which grants it persistent access to that on-disk secret material while installed — expected for a wallet but worth highlighting.
Assessment
This skill appears to do what it says (create a single wallet, query prices, run swaps/transfers via atxswap-sdk). Before installing: 1) Inspect the atxswap-sdk npm package and its GitHub source to confirm the keystore/secrets handling and any network endpoints it uses; 2) Understand the skill will create files under ~/.config/atxswap/ (keystore and secrets/master.key) and may save a password there — if you don't want keys on the host, don't install or use it on a shared machine; 3) Use a private RPC via BSC_RPC_URL if you distrust public endpoints; 4) Note the skill only generates a new wallet (doesn't import private keys) and exports only encrypted keystore V3 JSON; if you need different key provisioning workflows, use a dedicated wallet tool instead. If you want the assessment to be stronger, provide the atxswap-sdk source or confirm how and where the SDK stores saved passwords and master.key.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

OSLinux · macOS
Binsnode, npm
atxvk97a3fmrdqfgtqydscna5f731985ejwjatxswapvk97a3fmrdqfgtqydscna5f731985ejwjbscvk97a3fmrdqfgtqydscna5f731985ejwjlatestvk97a3fmrdqfgtqydscna5f731985ejwjtradingvk97a3fmrdqfgtqydscna5f731985ejwj
106downloads
0stars
5versions
Updated 26m ago
v0.0.6
MIT-0
Linux, macOS
atxswap@agentswapx
atxatxswapbsclatesttrading
Download

ATXSwap Skill

Execute ATX trading and wallet workflows on BSC. This skill is designed for agents that need safe, repeatable commands for wallet management, ATX/USDT quotes, swaps, V3 liquidity actions, and transfers.

  • SDK: atxswap-sdk on npm (source)
  • Keystore dir: ~/.config/atxswap/keystore (fixed, not configurable)
  • Secrets dir: ~/.config/atxswap/ (master.key + secrets.json)

Use This Skill For

  • Create the single wallet used by this skill instance (importing an existing private key is not supported)
  • Query ATX price, balances, LP positions, quotes, and arbitrary ERC20 token info
  • Buy or sell ATX against USDT on PancakeSwap V3
  • Add liquidity, remove liquidity, collect fees, or burn empty LP NFTs
  • Transfer BNB, ATX, USDT, or arbitrary ERC20 tokens

Before First Use

This skill ships its own Node scripts and depends on atxswap-sdk.

  1. Open the skill directory where this SKILL.md is installed.
  2. Run npm install there before using any script.
  3. If npm install fails, stop and report the dependency error instead of guessing.

If the skill is installed via ClawHub or OpenClaw CLI, the install location is typically ~/.clawhub/skills/atxswap/ (or the equivalent client-managed path). If you cloned this repository directly, the location is skills/atxswap/.

Script Location

Use the skill directory path to locate scripts. If ${SKILL_DIR} is available (injected by skills.sh-compatible runtimes), use it; otherwise use the absolute path to this skill's installed directory.

Example:

cd skills/atxswap && npm install
cd "${SKILL_DIR}" && node scripts/wallet.js list

All examples below use cd "${SKILL_DIR}" && for clarity. If your runtime does not inject ${SKILL_DIR}, replace it with the absolute path of the installed skill directory.

Runtime Notes

  • BSC_RPC_URL is optional and supports comma-separated values for fallback, e.g. BSC_RPC_URL="https://primary,https://backup1,https://backup2". When unset, scripts use a built-in fallback list of 8 BSC public RPC endpoints and viem will retry them in order.
  • Wallet files live under ~/.config/atxswap/keystore.
  • Secure secrets live under ~/.config/atxswap/ (master.key + secrets.json).
  • Only one wallet is allowed per skill installation. If a wallet already exists, wallet.js create fails.
  • Use wallet.js list before creating a wallet.
  • Importing an existing private key via this skill is not supported. If the user asks to import a private key, refuse and tell them to use a dedicated wallet tool of their choice.
  • Scripts write JSON output. wallet.js export prints the address's encrypted keystore V3 JSON to stdout (or writes it to a file via --out <file>); it never prints the raw private key.
  • query.js quote can return a JSON error if the configured Quoter or RPC rejects the simulation. Surface the error and do not proceed to a write.

Password Rules

When the user asks to create a wallet:

  1. Ask the user for a password first (do NOT generate one).
  2. Pass it via --password <pwd> to the script when running non-interactively.
  3. The password is auto-saved to secure storage after creation.
  4. Never print the password back to the chat.

For swap, transfer, and liquidity operations, rely on auto-unlock first. Only ask for the password if auto-unlock fails.

Hard Safety Rules

  1. Treat all BSC writes as real-asset operations.
  2. NEVER output private keys or passwords in chat.
  3. ALWAYS run a preview before write actions: query price, quote, balance, or positions as appropriate.
  4. ALWAYS show the preview to the user and wait for explicit confirmation before swap, transfer, or liquidity writes.
  5. NEVER execute large trades without the user saying "yes" or "confirm".
  6. wallet.js export only emits the encrypted keystore JSON, never the raw private key. There is no command that prints the unencrypted private key, and the agent must not attempt to derive or display one.
  7. Prefer wallet.js export <address> --out <file> and tell the user the file path. Avoid pasting the keystore JSON itself into chat unless the user explicitly asks for it.

Required Preview Flow

Before every write action:

  1. Query the price, quote, balance, or positions that match the requested action.
  2. Summarize the preview in plain language.
  3. Ask the user to confirm.
  4. Execute the write command only after confirmation.
  5. Return the transaction hash and the key result fields.

High-Value Workflows

Check market state

cd "${SKILL_DIR}" && node scripts/query.js price
cd "${SKILL_DIR}" && node scripts/query.js balance <address>
cd "${SKILL_DIR}" && node scripts/query.js positions <address>

Preview before swap

cd "${SKILL_DIR}" && node scripts/query.js quote <buy|sell> <amount>

Execute after confirmation

cd "${SKILL_DIR}" && node scripts/swap.js buy <usdtAmount> [--from address] [--slippage bps] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/liquidity.js add <atxAmount> <usdtAmount> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/transfer.js atx <to> <amount> [--from address] [--password <pwd>]

Command Reference

wallet.js

cd "${SKILL_DIR}" && node scripts/wallet.js create [name] --password <pwd>
cd "${SKILL_DIR}" && node scripts/wallet.js list
cd "${SKILL_DIR}" && node scripts/wallet.js export <address> [--out <file>]
cd "${SKILL_DIR}" && node scripts/wallet.js has-password <address>
cd "${SKILL_DIR}" && node scripts/wallet.js forget-password <address>

query.js

cd "${SKILL_DIR}" && node scripts/query.js price
cd "${SKILL_DIR}" && node scripts/query.js balance <address>
cd "${SKILL_DIR}" && node scripts/query.js quote <buy|sell> <amount>
cd "${SKILL_DIR}" && node scripts/query.js positions <address>
cd "${SKILL_DIR}" && node scripts/query.js token-info <tokenAddress>

swap.js

cd "${SKILL_DIR}" && node scripts/swap.js buy <usdtAmount> [--from address] [--slippage bps] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/swap.js sell <atxAmount> [--from address] [--slippage bps] [--password <pwd>]

liquidity.js

cd "${SKILL_DIR}" && node scripts/liquidity.js add <atxAmount> <usdtAmount> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/liquidity.js remove <tokenId> <percent> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/liquidity.js collect <tokenId> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/liquidity.js burn <tokenId> [--from address] [--password <pwd>]

transfer.js

cd "${SKILL_DIR}" && node scripts/transfer.js bnb <to> <amount> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/transfer.js atx <to> <amount> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/transfer.js usdt <to> <amount> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/transfer.js token <tokenAddress> <to> <amount> [--from address] [--password <pwd>]

When To Refuse Or Pause

  • Missing wallet but the user requests a write action
  • Missing confirmation for swap, transfer, or liquidity writes
  • npm install has not been run successfully in the skill directory
  • RPC, dependency, or wallet-unlock errors that make the state unclear

Standard Workflow

For any write action:

  1. Query current price, quote, balance, or positions as needed.
  2. Summarize the preview for the user.
  3. Wait for explicit confirmation.
  4. Execute the write command.
  5. Report the transaction hash and result.

Comments

Loading comments...