ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WachAI-x402

DeFi risk analysis toolkit powered by WACH.AI via x402 payments using AWAL wallet custody. Use when the user asks to check if a token is safe, assess DeFi ri...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 815 · 0 current installs · 0 all-time installs
by@Akshat-Mishra101
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description, payment model (0.01 USDC on Base), AWAL custody requirement, and required runtime (Node.js/npm, AWAL CLI) align with a third‑party DeFi analysis tool that performs paid queries. No unrelated credentials or system-level access are requested.
Instruction Scope
SKILL.md instructs the agent to run AWAL/x402-wach CLI commands (setup, login/verify, balance, verify-risk) and to call an external API endpoint. The instructions explicitly prohibit asking for private keys and local wallet files, which reduces risk. Minor note: SKILL.md also shows a programmatic npm import (@quillai-network/x402-wach) but the skill provides no install spec — the skill expects a runtime environment with Node/npm and AWAL already available.
Install Mechanism
No install spec is present and there are no code files — this is an instruction-only skill. That is lower risk than an install that downloads or extracts arbitrary code. The requirement that Node/npm and AWAL be present is reasonable for the described JS client/CLI usage, though users should ensure AWAL and any npm packages come from trusted sources.
Credentials
The skill does not request environment variables, secret tokens, or access to unrelated services. It uses the user's AWAL-managed wallet for payments, which is proportionate to a paid analysis service. The skill's explicit prohibitions on private keys/seeds are appropriate.
Persistence & Privilege
always:false and normal autonomous invocation settings are used. The skill does not request persistent system-wide privileges or modification of other skills. There is no evidence it would persistently alter agent configuration.
Assessment
This skill is internally consistent for a paid DeFi risk tool that charges via an AWAL wallet, but check a few practical points before installing/using: 1) Confirm you have the AWAL CLI installed from the vendor's official source and that you trust the domain https://x402.wach.ai. 2) The skill will attempt on‑chain queries and make an external API call and a charged payment (0.01 USDC on Base) from your AWAL wallet — ensure you understand and authorize this. 3) Do not provide private keys, seed phrases, or local wallet files; the skill explicitly forbids them. 4) SKILL.md references an npm package (@quillai-network/x402-wach) but no install mechanism is provided — if you want programmatic usage, obtain the package from a trusted registry and verify its provenance. 5) Monitor your AWAL balance and payment receipts and verify any failed payment diagnostics the skill surfaces. If you need higher assurance, ask the publisher for a homepage, source repo, or verifiable release artifacts before use.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk978cfszyqz7d6vk3ft24wxz9h818xhc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

x402-wach — DeFi Risk Analysis

A DeFi risk analysis toolkit powered by WACH.AI, using x402 with AWAL-managed key custody.

OpenClaw Hard Rules (Non-Negotiable)

When this skill is active, OpenClaw must follow all rules below:

  1. Never request or expose secrets

    • Never ask for private keys, seed phrases, mnemonics, wallet export files, or raw signing material.
    • Never suggest using wallet.json or any local key file flow.

  2. AWAL-only custody path

    • Always use AWAL-backed commands for setup and payments.
    • Treat legacy local-wallet instructions as invalid for this skill version.

  3. Run readiness checks before paid calls

    • Before verify-risk, ensure AWAL is ready via wallet setup or wallet doctor.
    • If not ready, stop and guide user to login/fund flow.

  4. Respect payment guardrails

    • Default max payment cap is 10000 atomic USDC ($0.01) per request.
    • Do not raise cap unless the user explicitly asks.

  5. Do not hide payment failure details

    • If payment fails, surface clear reason and next action (auth, balance, network, command mismatch).
    • Do not claim success unless report payload is actually present.

  6. No blind retries that may duplicate spend

    • For network/transient errors, retry once at most.
    • Keep the same request context and tell the user a retry was attempted.

  7. Always present source link in final report

    • Prefer TokenSense URL pattern:
      • https://tokensense.wach.ai/<chain>/<tokenAddress>
    • Use API source only as fallback.

When to Use This Skill

Use this skill when user asks to:

  • assess DeFi risk for a token
  • detect scam/honeypot patterns
  • inspect holder concentration/liquidity quality
  • review contract risk signals
  • get risk/market/code score breakdown
  • evaluate tokens across eth, pol, base, bsc, or sol

Supported Chains

Short NameChainToken Standard
ethEthereumERC-20
polPolygonERC-20
baseBaseERC-20
bscBinance Smart ChainBEP-20
solSolanaSPL

Payment is always in USDC on Base, regardless of analysis chain.

Command Playbook for OpenClaw

1) Readiness / Setup

Run:

x402-wach wallet setup

If setup says not ready, run:

x402-wach wallet doctor
x402-wach wallet login <EMAIL>
x402-wach wallet verify <FLOW_ID> <OTP>
x402-wach wallet balance

Interpretation:

  • ✓ Ready to make x402 payments with AWAL -> proceed to analysis.
  • AWAL wallet is not authenticated -> run login + verify flow.
  • Insufficient USDC on Base -> ask user to fund AWAL address.
  • Could not read AWAL balance/status -> run doctor and show raw failure.

2) Risk Analysis

Run:

x402-wach verify-risk <TOKEN_ADDRESS> <CHAIN_SHORT_NAME>

Preferred cap-safe form:

x402-wach verify-risk <TOKEN_ADDRESS> <CHAIN_SHORT_NAME> --max-amount-atomic 10000

3) Optional Helpers

x402-wach wallet status
x402-wach wallet address
x402-wach chains
x402-wach guide

Tool Result Interpretation Rules

Readiness/Doctor Output

  • Contains ✓ Ready -> safe to proceed with paid analysis.
  • Contains not authenticated -> require OTP login/verify.
  • Contains Insufficient USDC -> request wallet funding on Base.
  • Contains command-help text from AWAL -> command mismatch/version issue; run x402-wach wallet doctor and use supported subcommands shown.
  • Contains JSON parse errors -> treat as AWAL output format mismatch; surface raw error and do not continue paid flow.

verify-risk Output

  • Token analysis complete! + populated sections -> success.
  • Header only with empty body -> payload unwrap issue; report as tool parsing bug.
  • No token found / empty report -> valid call, no token at address/chain.
  • 402/payment error -> wallet balance/cap/auth issue; user action required.

Safety-Focused User Guidance

When blocked, provide this exact short path:

x402-wach wallet doctor
x402-wach wallet login <email>
x402-wach wallet verify <flowId> <otp>
x402-wach wallet balance

Then retry:

x402-wach verify-risk <TOKEN_ADDRESS> <CHAIN_SHORT_NAME> --max-amount-atomic 10000

Programmatic Usage Pattern (Agent-Friendly)

import {
  getAwalReadiness,
  validateTokenAddress,
  verifyTokenRisk,
} from "@quillai-network/x402-wach";

const token = "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48";
const chain = "eth";

const validation = validateTokenAddress(token, chain);
if (!validation.valid) throw new Error(validation.error);

const readiness = await getAwalReadiness(10_000);
if (!readiness.ready) throw new Error(readiness.reasons.join("; "));

const report = await verifyTokenRisk(token, chain, { maxAmountAtomic: 10_000 });
console.log(report);

Expected Report Sections

On successful analysis, formatted output can include:

  • Market Data
  • Risk Scores
  • Honeypot Analysis
  • Holders
  • Liquidity
  • Code Analysis
  • Social & Community
  • Source (TokenSense link) + report timestamp

Absolute Prohibitions for OpenClaw

  • Do not use or suggest wallet create, wallet import, or wallet.json.
  • Do not ask user for private key or seed phrase.
  • Do not increase spend cap silently.
  • Do not claim analysis success when output parsing failed.
  • Do not suppress AWAL raw errors when diagnosis is needed.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…