Boiling Point
Security checks across malware telemetry and agentic risk
Overview
This skill is purpose-aligned for crypto token launching and trading, but it can use a Token Layer API key to submit real on-chain transactions and the approval boundaries are not fully clear.
Install only if you intend to let an agent help with crypto token creation or trading. Use a dedicated low-balance wallet/API key, verify every quote and transaction before allowing it to be sent, and remember that on-chain transactions and token creation are public and often irreversible.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could submit a real blockchain transaction that spends wallet funds, trades tokens, or creates a token if the user does not carefully confirm the details.
This instructs the agent to submit transactions returned by the API. Because these are on-chain token creation/trading transactions, mistakes or autonomous execution could spend funds or create irreversible public actions; the artifact only clearly says to show the user for approval before token creation, not before every trade or send-transaction.
1. Call create-token-transaction or trade-token returns { transactions: [...], metadata: {...} }
2. For each tx in array: POST /send-transaction { to: tx.to, data: tx.data, amount: tx.value || "0", chainSlug }Require explicit human confirmation for every quote, trade, and `/send-transaction`, including chain, token ID, amount, destination, and expected cost; use testnet or a low-balance dedicated wallet first.
Anyone or any agent flow with access to this API key may be able to view wallet information and initiate supported Token Layer actions.
The skill needs a bearer API key tied to an agent wallet that can be funded for gas and trading. This is expected for the stated purpose, but it is a sensitive delegated credential.
**Auth**: `Authorization: Bearer $TOKENLAYER_API_KEY` ... **Fund wallet**: Send ETH (gas) + USDC (trading) to your agent wallet address from `/me`
Use a dedicated Token Layer agent wallet with limited funds, keep the API key private, rotate it if exposed, and avoid sharing it across unrelated skills.
Tokens created through the skill may publicly show their origin/application attribution.
Token creation includes public attribution through a builder code. This is disclosed and purpose-aligned, but users should know that created-token origin metadata may be publicly visible.
The `builder` parameter identifies which application created a token. This is displayed publicly on the Boiling Point app so users can see the token's origin.
Confirm you are comfortable with the public attribution and any referral/builder metadata before creating a token.