Noya Agent Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Noya crypto integration, but it can drive high-impact trading workflows and asks OpenClaw to pass broad conversation context to Noya, so it needs careful review before use.
Install only if you intend to use Noya for crypto trading or market data. Treat the API key like a financial credential, review every execution prompt carefully, set hard limits for DCA strategies, and avoid sending broad OpenClaw conversation history to Noya unless you have reviewed and approved the exact context being shared.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken, ambiguous, or over-broad instruction could lead to real financial actions if the user confirms the provider prompt or if an action type is not clearly covered by the documented confirmation rule.
The skill explicitly routes wallet-connected trading and order-placement through a remote conversational agent. Although the artifacts say on-chain transactions require confirmation, they do not clearly define local safeguards, limits, or approval requirements for every high-impact financial action such as prediction-market orders and recurring DCA setup.
Use the agent (`noya-message.sh`) for anything that requires reasoning, execution, or the user's connected wallet: swaps, bridges, transfers, DCA setup, placing Polymarket orders
Use only for explicit crypto tasks, verify every proposed transaction/order, and avoid approving any execution prompt unless amounts, assets, chains, markets, fees, and duration are clear.
Anyone who obtains the API key may be able to access Noya agent functions associated with the user's account.
The skill requires a Noya API key for agent endpoints, and its stated workflows include connected-wallet operations. This credential use is expected for the integration, but it grants sensitive account access.
Agent API Base URL: `https://agent-api.noya.ai` (requires `NOYA_API_KEY`)
Use a short-lived key as the skill suggests, store it securely, revoke it if exposed, and avoid sharing terminal logs or configuration files containing the key.
Private or unrelated details from the OpenClaw conversation could be shared with Noya and may influence a trading-capable agent.
The skill instructs OpenClaw to send conversation context to Noya, an external agent service. The provided artifacts do not clearly bound what context is sent, and the reference example includes broad personal context such as schedule and preferences.
For every new chat OpenClaw initiates with Noya, first call the system message endpoint ... to hand off conversation context.
Before using the handoff, share only a minimal, user-approved summary relevant to the crypto task and omit personal, financial, or unrelated conversation details.
A DCA strategy may continue making trades after the chat is over, potentially until funds are depleted or the strategy is changed.
The API reference shows DCA strategies that can persist and execute on a schedule without a fixed end date. This is purpose-aligned for DCA, but it is a persistent financial automation that needs clear user-set limits and cancellation controls.
"durationType": "until_depletion", "endDate": null, "nextExecutionDate": "2026-02-28T00:00:00.000Z"
Set explicit amounts, frequency, end dates, and stop conditions for any DCA strategy, and periodically review or delete active strategies.