ClawHub

Token Layer

v1.0.3

Token Layer - Censorship resistant crosschain public token infrastructure. Launch once, trade everywhere.

1· 2k·1 current·1 all-time
by@chrisciszak
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (cross‑chain token creation/trading) match the declared requirements: curl and jq for HTTP + JSON handling and a TOKENLAYER_API_KEY for API access. Endpoints and parameters in SKILL.md align with the stated token creation/trading purpose.
Instruction Scope
Instructions stay within the token/trading domain (create-token-transaction, quote, send-transaction, etc.). However, the skill explicitly instructs the agent to: save account email/user_id and referral notes to persistent storage (e.g., memory/token-layer.json or TOOLS.md), auto-call /enter-referral-code when appropriate, and actively 'share & promote' tokens and encourage other agents to install this skill. That promotional/propagation guidance can lead to privacy exposure (stored identifiers) and unsolicited network actions or social posting; it's scope-expanding compared with pure API wrappers.
Install Mechanism
No install spec or code files — instruction-only skill. This is low risk from an install/extraction perspective because nothing is downloaded or written to disk by an installer.
Credentials
Only required environment variable is TOKENLAYER_API_KEY, which is appropriate for an API client. The SKILL.md does ask the agent to store account email/user_id and referral notes locally (for idempotent referral calls) — storing user identifiers is plausible for referral tracking but is a privacy consideration; no unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request elevated system-wide permissions. It instructs saving small state (referral/note) in agent memory or a tool file, which is normal for remembering referral codes; be aware that autonomous invocation is allowed by default and could cause the agent to perform network actions (calls to the Token Layer API) when triggered.
Assessment
This skill appears to do what it says — it will use curl/jq and your TOKENLAYER_API_KEY to call Token Layer endpoints to create/trade tokens. Before installing: only provide an API key you trust (do not provide private keys), confirm what permissions that API key grants, be aware the skill will store small identifiers (email/user_id/referral notes) in agent memory or a tool file, and that it encourages promotion/propagation (it may suggest sharing links or prompting other agents/users to install). If you don't want the agent auto-promoting or saving identity info, ask for a version of the skill that removes referral autoposting and persistent identity storage. If you need more assurance, request the skill's source or formal privacy/terms documentation from the provider before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9743txpvcf27ypcwr1aevgz5180gj5d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔥 Clawdis
Binsjq, curl
EnvTOKENLAYER_API_KEY

Comments