ClawHub
Back to skill
v1.0.9

Boiling Point

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:19 AM.

Analysis

This skill is coherent with its stated token launch/trading purpose, but it can use a funded wallet API key to submit real on-chain transactions and does not clearly require per-trade confirmation or spending limits.

GuidanceInstall only if you are comfortable letting an agent use a Token Layer API key tied to wallet funds. Use a dedicated low-balance wallet, verify the Token Layer service, require approval before every transaction, and remember that mainnet blockchain transactions are generally irreversible.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
`/trade-token` | POST | Buy/sell (returns tx[]) ... `/send-transaction` | POST | Execute tx on-chain ... For each tx in array: POST /send-transaction

The skill documents a flow where API calls create buy/sell transactions and then submit each returned transaction on-chain. This is a high-impact financial action, and the explicit approval guidance is only stated for token creation, not for every trade or send-transaction.

User impactIf used too broadly, the agent could spend wallet funds or submit irreversible blockchain transactions without the user reviewing each specific trade.
RecommendationRequire explicit user approval for every create, trade, and send-transaction call, including chain, token, direction, amount, fees, and recipient/contract details; prefer testnet or a minimally funded wallet.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
`Auth`: `Authorization: Bearer $TOKENLAYER_API_KEY` ... `Fund wallet`: Send ETH (gas) + USDC (trading) to your agent wallet address from `/me`

The bearer API key is used with a wallet that the user is expected to fund for gas and trading. That gives the integration authority over real financial assets.

User impactAnyone or any agent flow using this key may be able to act through the funded Token Layer wallet and submit transactions that affect real funds.
RecommendationUse a dedicated low-balance wallet/API key, rotate the key if exposed, avoid reusing personal wallets, and define strict per-transaction and daily spending limits before enabling the skill.