Web3 Trader

This skill is coherent with its stated DEX-aggregator purpose, but take these precautions before installing or using it: - Trust the MCP server: the recommended MCP remote mode delegates quoting/page hosting to https://mcp-skills.ai.antalpha.com. That server will generate preview URLs and host swap pages; you must trust it not to serve malicious pages or to mis-handle previews. If you don't trust that server, use local CLI mode and your own hosting. - Protect your API key: the skill expects a 0x API key in ~/.web3-trader/config.yaml. Keep that file permissioned (chmod 600) and do not commit it to version control. Rotate/revoke the key if you suspect leakage. - Inspect before running install scripts: install.sh is included and indicates pip-installing dependencies. Do not pipe unknown remote install scripts directly to bash; inspect the script first and run commands intentionally. - Review all transactions before signing: the skill builds unsigned tx data only — wallets sign/broadcast. Always verify to/from addresses, amounts, slippage and the target contract in your wallet UI prior to signing. - Be aware of third-party hosting: local-mode docs suggest using a public file host (catbox) for swap pages. Hosting on public services can expose links; consider self-hosting or short-lived uploads. - Test on small amounts / testnet first: use small trades or testnets until you're comfortable with the workflow. If you want extra assurance, request: (1) signed provenance of the MCP server domain and maintainers, (2) a minimal install path that avoids curl|bash, or (3) to run the skill in a sandboxed environment and inspect traffic to the MCP/0x endpoints.