ClawHub

Is Token Safe?

Evaluates a crypto token's contract for scam risks and flags its safety level with reasons for trading and decision-making purposes.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 513 · 1 current installs · 1 all-time installs
by@dokbawi80
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and description say the skill analyzes token contracts, and scan.js implements that. However skill.json points to index.js, which is a trivial passthrough that does not perform any scanning. This divergence means the package on-disk does not match the declared runtime entrypoint and the skill may be non-functional or intentionally obfuscated.
Instruction Scope
SKILL.md describes token analysis (input: token address -> risk level). The actual scan logic (in scan.js) contacts external services: a public Base RPC (https://mainnet.base.org) and the honeypot.is API, sending the token address and chain param. That network transmission is expected for a token scanner but is not documented in SKILL.md (no mention of which chain is assumed — scan.js hardcodes 'base').
Install Mechanism
There is no install spec or dependency manifest. scan.js requires Node modules (ethers, axios) but these are not declared; the skill may fail to run in a strict environment or rely on preinstalled packages. No downloads or external installers are present.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The code does not attempt to read local secrets or files.
Persistence & Privilege
The skill is not always-enabled and requests no elevated persistence or changes to other skills/config. It only performs transient network calls in the scan logic.
What to consider before installing
This package is inconsistent: the documentation and scan.js implement a token scanner that calls a public Base RPC and an external honeypot API, but the declared entrypoint (index.js) does nothing. Before installing or enabling: 1) ask the author to fix the entrypoint so the runtime executes the scanner you expect (or explain why index.js is the real entry); 2) require a package.json or install instructions for ethers/axios; 3) confirm you are OK with the token address being sent to https://api.honeypot.is and using the Base RPC (privacy/telemetry concerns); and 4) if you need scans for other chains, request chain selection rather than a hardcoded 'base'. Because of the entrypoint mismatch and missing dependency metadata, treat this skill as suspicious until the author clarifies/corrects these issues.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
erc20vk97a0d62wza9vnqyffnvdqnd4h81dprklatestvk97a0d62wza9vnqyffnvdqnd4h81dprkscamvk97a0d62wza9vnqyffnvdqnd4h81dprksecurityvk97a0d62wza9vnqyffnvdqnd4h81dprktokenvk97a0d62wza9vnqyffnvdqnd4h81dprk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

IsTokenSafe

Checks whether a given crypto token is potentially malicious or risky.

What it does

  • Analyzes token contract metadata
  • Flags common scam or rug-pull patterns
  • Provides a quick safety signal for trading bots and agents

Use cases

  • Automated trading bots
  • Polymarket / prediction market agents
  • Token discovery pipelines

Input

  • Token address

Output

  • Risk level (low / medium / high)
  • Reason summary

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…