Alura
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is an instruction-only API reference, but it gives an agent authenticated trading and funds-movement capabilities without clear approval limits.
Use this only if you intend the agent to interact with the Alura testnet API. Verify the official API domain, treat wallet signatures and Bearer tokens as sensitive, and require explicit confirmation before any trade, withdrawal, close-position, reward, or USDC action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent uses these endpoints with a valid token, it could change trading/account state or initiate USDC-related actions, even if the API is described as testnet.
The skill documents authenticated endpoints that can move funds or close positions, but the artifact does not provide approval, scoping, or verification guidance for these high-impact actions.
POST | /user/withdraw | Withdraw funds ... POST | /user/close-all-positions | Close all positions ... POST | /user/send-usdc | Send USDC
Require explicit user confirmation before any POST action that trades, closes positions, withdraws, or sends USDC; confirm asset, amount, recipient, and session ID before calling.
A leaked or misused token/key could let someone act on the user's Alura account during the token lifetime.
Bearer tokens and trading keys are expected for this API integration, but they grant account-level authority and should be treated as sensitive credentials.
All authenticated endpoints require `Authorization: Bearer <JWT>` ... Returns `{ ok: true, accessToken, tokenType: "Bearer", expiresIn: 86400, ... }` ... GET | /auth/evm/trading-key | Get trading agent key (auth)Only provide tokens after verifying the domain and task, avoid sharing private keys, and revoke or refresh credentials if they may have been exposed.
Users may have less assurance that the API reference is official, current, or safe to follow.
The skill has no code, but the API instructions are not tied to an identified source or homepage, which matters more because the skill involves wallet authentication and trading actions.
Source: unknown; Homepage: none
Verify the Alura API base URL and documentation through an official channel before signing wallet messages or authorizing trading actions.