Niche - Peer to Peer Trading Cards Marketplace
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for a trading-card marketplace, but it asks users to trust an unreviewed hosted service and recurring command with wallet/session access and payment-related actions.
Review this carefully before installing. Use a dedicated low-value wallet, verify whether the marketplace is testnet-only or uses real funds, confirm the source of the `niche` CLI and hosted backend, and disable or avoid the recurring match-check cron unless you explicitly want it.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users would need to trust an external hosted backend and unspecified CLI implementation for authentication, wallet signing, and escrow behavior.
The most sensitive logic is outside the reviewed artifact, and the provided package has no code or install spec for the CLI that would interact with it.
Hosted backend on Supabase Edge Functions. The CLI is a thin HTTP client — all heavy logic (auth, signing, escrow, on-chain transactions) runs server-side.
Install only after verifying the operator, backend provenance, and wallet/escrow implementation; start with testnet or very limited funds.
A local session or wallet-linked account could authorize marketplace actions or payment flows if mishandled.
The skill expects local session material and wallet identity to be used for account and payment actions, but the reviewed artifacts do not show clear bounds on how those credentials are stored, read, or protected.
~/.niche/auth.json ... niche login # Opens browser → email OTP → passkey → wallet created
Use a dedicated low-value wallet/account, confirm where session files are stored, and avoid installing unless credential handling is documented and trusted.
A background task could continue contacting the service or using local session context after the immediate user request is done.
The skill declares recurring background execution, but the invoked `niche` command is not part of the reviewed code and no opt-out or cleanup guidance is shown in the provided artifact.
"cron": [{ "schedule": "*/15 * * * *", "command": "niche check-matches", "description": "Check for new cards matching user watches every 15 minutes" }]Confirm the cron job is optional, review how to disable it, and do not enable recurring checks until the CLI source and behavior are verified.
If invoked at the wrong time or for the wrong listing, the user could unintentionally pay, cancel, or place funds into dispute.
These are purpose-aligned marketplace commands, but they can change payment, escrow, listing, or dispute state.
niche confirm <id> # Confirm meetup + pay remaining (buyer) OR confirm meetup (seller) niche cancel <id> # Cancel deposit and get refund ... niche dispute <id> # File dispute, hold funds
Require explicit user confirmation for every payment, cancellation, listing mutation, or dispute command, and verify the listing ID and role before proceeding.
Users may misunderstand whether they are using testnet funds or real-value assets and may place more trust in the payment flow than warranted.
The artifact mixes testnet language with 'Real USDC deposit' language, which is unclear for a financial workflow.
Base Sepolia ... Place deposit ... Real USDC deposit ... niche fund [amount] # Open Circle faucet for testnet USDC
Clarify whether all flows are testnet only or involve real funds before logging in, funding a wallet, or signing any transaction.