ClawHub
Back to skill
v1.0.0

Sur

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:37 AM.

Analysis

This skill is purpose-aligned with SURGE token launching and trading, but it gives an AI agent high-impact crypto wallet and trading authority that users should review carefully before installing.

GuidanceReview this carefully before installing. Only use it if you are comfortable giving an agent a SURGE API key that can operate server-managed crypto wallets. Confirm every wallet, funding, launch, buy, and sell action manually, and revoke the API key when finished.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
You (the AI agent) handle the entire process through API calls

The skill delegates the full token-launch and trading workflow to the agent through API calls, including financial actions that can create wallets, fund them, and trade tokens.

User impactIf invoked too broadly or without careful confirmations, the agent could perform crypto actions that spend funds, create public tokens, or make irreversible trades.
RecommendationRequire explicit user approval before every wallet creation, funding request, token launch, buy, sell, or other transaction; show chain, amount, fees, slippage, token address, and reversibility before submitting.
Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Give the key to me and I'll handle everything from here

This wording encourages broad trust in the agent with an API key for high-impact crypto activity, without clearly emphasizing user review of each transaction.

User impactA user may over-trust the agent or platform with custodial wallet and trading authority and may not realize the consequences of granting the key.
RecommendationClarify that the user remains responsible for all transactions, that server-managed wallets are custodial, and that the agent should not trade or launch tokens without explicit per-action consent.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The skill has limited provenance information while directing users to grant an API key for a crypto trading service.

User impactUsers have less registry-level information to verify who maintains the skill or where to inspect the project before granting trading authority.
RecommendationVerify the SURGE domain and publisher independently before generating an API key or letting the agent perform wallet or trading actions.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
API Key | User gives you a key starting with `sk-surge-...`

The skill requires the user to provide a SURGE API key, which is then used for account-linked wallet and trading operations.

User impactThe API key may allow the agent to act on the user's SURGE account and server-managed wallets, creating a significant permission boundary risk.
RecommendationUse a narrowly scoped, revocable API key if available; revoke it after use; do not provide a key unless you understand what wallet and trading permissions it grants.