TopoLift: Negotiation Skill
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent has access to a wallet/payment tool, repeated API calls could spend real funds without the user noticing until after the fact.
The skill describes an autonomous-agent payment workflow using real USDC, but does not specify user confirmation, spending limits, wallet isolation, or rate limits for paid calls.
x402 pay-per-call (autonomous agents — no signup) ... sign EIP-3009 USDC transfer for $0.10 on Base mainnet → resend with `X-PAYMENT` header
Require explicit user approval or a hard spend cap before any x402 payment, and use a limited-balance wallet or disable autonomous payment tools for this skill.
A copied or over-privileged key could allow unwanted use of the paid TopoLift API.
The skill supports a provider API key for the TopoLift MCP server. This is expected for the integration, but it gives the configured MCP server delegated access to the user's TopoLift account.
claude mcp add topolift-negotiation -e TOPOLIFT_API_KEY=tl-... -- topolift-mcp
Use the least-privileged key available, keep it out of shared logs or prompts, and rotate it if it may have been exposed.
Confidential negotiation positions or pricing information could be shared with an external service.
The direct API example sends negotiation goals, reservation price, aspiration price, current offer, and scenario details to TopoLift's external API. That data flow is purpose-aligned but may be commercially sensitive.
"principal": { "goals": "Sell at $22k+", "reservation_price": 22000, "aspiration_price": 28000 }Avoid sending confidential deal details unless the user accepts TopoLift's data handling terms; redact or generalize sensitive scenarios when possible.
The reviewed skill text does not show what the external MCP server package will execute locally.
The skill is instruction-only, but one supported path requires installing and running an external MCP package that was not included in the reviewed artifacts.
pip install topolift-mcp ... Listed at the official MCP registry as `io.github.TopoLift/topolift-mcp`.
Verify the PyPI/GitHub package provenance, inspect or pin the package version, and install it only from the official source.