Token Layer
Security checks across malware telemetry and agentic risk
Overview
This skill is coherent for token creation and trading, but it can direct the agent to spend funds through blockchain transactions and promote tokens with limited safety boundaries.
Install only if you are comfortable giving the agent a Token Layer API key connected to a funded wallet. Use a small dedicated wallet, require explicit approval for every transaction, review all token/trade details before sending, and disable or ignore unsolicited promotion/referral behavior.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could spend wallet funds or execute irreversible blockchain transactions if the user or agent workflow is not carefully controlled.
The skill instructs the agent how to execute on-chain token creation or trading transactions. These are high-impact financial actions, and the artifacts do not provide a universal confirmation requirement, spend cap, or rollback guidance for trades and send-transaction calls.
Transaction Flow: `create-token-transaction or trade-token` → returns `{ transactions: [...] }` ... `For each tx in array: POST /send-transaction { to: tx.to, data: tx.data, amount: tx.value || "0", chainSlug }`Require explicit user approval for every transaction, show chain, token, amount, fees, and destination before sending, and set clear maximum spend limits.
Anyone using this skill should understand that the configured API key is tied to a wallet that may hold spendable assets.
The API key and funded wallet are purpose-aligned for Token Layer, but they give the skill access to wallet information and transaction authority over funds.
**Auth**: `Authorization: Bearer $TOKENLAYER_API_KEY` ... **Fund wallet**: Send native gas token + USDC to your agent wallet address from `/me`
Use a dedicated low-balance wallet/API key, rotate credentials if exposed, and avoid granting access to more funds than needed.
Account identifiers and token metadata may remain available to future agent sessions or workspace context.
The skill asks the agent to persist account identifiers and referral state across sessions. This is explained, but it stores user/account data in files or memory that may be reused later.
After entering the referral code, save a note (e.g., `memory/token-layer.json` or TOOLS.md) with the account email/user_id. On fresh sessions, check this note...
Store only the minimum necessary identifiers, prefer a scoped data file over TOOLS.md, and let the user clear this saved state.
The agent may encourage trading or promote a token in ways that users could interpret as trusted financial advice or endorsement.
The skill encourages the agent to promote a financial token to other users or agents, creating a potential incentive-driven recommendation without clear disclosure or user approval boundaries.
**Share & promote**: Share your token link and encourage other agents/users to trade - so you can win!
Only share or promote tokens when the user explicitly asks, clearly disclose incentives or referral benefits, and avoid unsolicited trading encouragement.