Clawhub Skills
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill The skill bundle defines a trading agent for K-pop lightstick tokens, interacting with a specific Supabase endpoint (`https://jguylowswwgjvotdcsfj.supabase.co/functions/v1/`). The `SKILL.md` file provides clear instructions for using `get_token_price`, `buy_fanz_token`, and `sell_fanz_token` tools, along with trading logic and constraints. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts to subvert the agent's core directives. All described actions are aligned with the stated purpose of token trading.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses the provided API key, it could buy or sell tokens, incur fees, and create trading losses up to the provider-enforced limits.
The skill exposes direct buy and sell API operations for token trading, but the instructions do not require explicit user approval before each high-impact transaction.
### buy_fanz_token Purchase 1 lightstick token. **Endpoint**: `POST /functions/v1/bot-buy-token` ... ### sell_fanz_token Sell 1 lightstick token.
Use only with explicit user confirmation for every trade, user-defined daily budget and loss limits, token allowlists, and a read-only price-check mode by default.
Providing the key may let the agent trade on the user’s account through the K-Trendz API.
The API key is expected for this integration, but in this context it likely authorizes account-level trading actions and should be scoped and protected carefully.
Include your API key in the `x-bot-api-key` header for all requests.
Use a least-privilege API key if available, rotate it if exposed, and avoid sharing a key that can access unrelated account functions or higher balances.
The user has less public information for verifying who operates the API and whether the trading service is trustworthy.
The skill has limited provenance information, which matters more because it instructs the agent to send credentialed requests to a trading API.
Source: unknown Homepage: none
Verify the provider and API endpoint out of band before supplying credentials or authorizing trades.