Sur
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for SURGE token launches and trading, but it asks the agent to use an API key and server-managed wallets to perform real financial actions, so it should be reviewed carefully before use.
Only use this skill if you trust SURGE with a server-managed wallet and understand that token launches and trades can affect real funds. Use a dedicated revocable API key, keep deposits small, and require explicit confirmation before every funding, launch, buy, or sell action.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could perform wallet, launch, or trading actions that may spend funds or create irreversible on-chain effects.
The skill delegates token launches and trading to the agent via API calls. These are high-impact financial operations, and the visible instructions do not clearly require a final user confirmation before each launch, funding use, or trade.
After creation, user can **buy and sell** tokens ... You (the AI agent) handle the entire process through API calls
Require explicit user confirmation for each wallet funding, token launch, buy, sell, amount, chain, and destination before sending any mutating API request.
Anyone or any agent workflow with this key may be able to operate the user's SURGE account, managed wallets, token launches, or trades according to the API key's permissions.
The skill asks the user to provide a SURGE API key that is then used for wallet and trading API calls. The registry metadata says there is no primary credential, creating ambiguity around the credential boundary for a financial service.
User gives you a key starting with `sk-surge-...`
Use a dedicated, minimally scoped key if available, revoke it when finished, and do not share keys beyond the intended session.
Funds sent to the managed wallet depend on SURGE account access, platform custody, and API behavior; mistakes or misuse may affect real assets.
The wallet custody model is server-managed, and later instructions tell users to send funds to the wallet address. This is purpose-aligned but high-impact because the user is relying on the service and API controls rather than holding the private key directly.
All wallets are **server-managed** — no private keys needed from user
Only fund small amounts you are willing to risk, verify withdrawal and custody terms directly with SURGE, and confirm how wallet access can be revoked or recovered.
A user may deposit funds or approve trades without fully understanding that wallet control depends on the service and API key.
This reassurance is part of the scripted user messaging for a custodial/server-managed wallet. It may understate the trust and custody tradeoff even if the behavior is intentional.
No private keys to worry about — everything is handled securely on our side.
Add clear custody, withdrawal, loss, and revocation disclosures instead of relying only on broad security assurances.
Users have less independent context for verifying the provider, API behavior, or custody claims before granting a key and sending funds.
The registry does not provide a source or homepage, which limits provenance review for a skill that connects to a remote financial API.
Source: unknown; Homepage: none
Verify the SURGE service, domain, documentation, and key permissions independently before installing or using the skill.