ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ATXSwap

v0.0.4

Manage ATX on BSC with wallet creation, price and balance queries, PancakeSwap V3 swaps, liquidity operations, and BNB/ERC20 transfers. Use when the user men...

0· 106·0 current·0 all-time
byatxswap@agentswapx

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for agentswapx/atxswap.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "ATXSwap" (agentswapx/atxswap) from ClawHub.
Skill page: https://clawhub.ai/agentswapx/atxswap
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node, npm
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install agentswapx/atxswap

ClawHub CLI

Package manager switcher

npx clawhub@latest install atxswap
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included scripts and declared dependency (atxswap-sdk). Required binaries (node, npm), an npm dependency, and BSC RPC access are all reasonable for a BSC wallet/trading skill. The fixed keystore path under the user home (~/.config/atxswap) is consistent with a wallet-focused skill.
Instruction Scope
Runtime instructions are concrete and confined to wallet creation, queries, swaps, liquidity, and transfers. They explicitly require npm install and running the bundled node scripts. The SKILL.md includes sensible safety rules (always preview, never print private keys). One operational note: the skill stores wallet data and (per its docs) will auto-save passwords to a local secure storage area (master.key + secrets.json under ~/.config/atxswap). wallet.js export prints the encrypted keystore JSON to stdout by default (or can write to a file with --out); this is expected but is sensitive and the README advises writing to a file instead.
Install Mechanism
No custom download URLs or extract steps are used. The skill expects you to run npm install in the skill directory, pulling atxswap-sdk from the public npm registry (package-lock.json confirms this). This is a common, expected install pattern for Node-based skills and aligns with the stated SDK dependency.
Credentials
The skill requests no external credentials and only optional BSC_RPC_URL env var (used for RPC fallback). It writes keystore and secret files under the user's home directory and may auto-save wallet passwords using the SDK's secure storage — this is proportionate to its function but is sensitive: the skill will create and maintain local secret files (master.key, secrets.json, keystore V3 JSON). Users should be aware that passwords are stored locally by the SDK/skill and that exporting a keystore prints encrypted JSON unless --out is used.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. Its persistence is limited to creating files under the user's home (~/.config/atxswap). It does not modify other skills or global agent settings. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges.
Scan Findings in Context
[npm-dependency-atxswap-sdk] expected: package.json/package-lock show atxswap-sdk pulled from the public npm registry. This is expected for a skill that delegates blockchain operations to an SDK.
[publish-clawhub-crypto-patterns-note] expected: PUBLISH.md notes that ClawHub's scanner flags 'crypto-key / external-API patterns' which is expected for wallet-related code and not necessarily an actionable warning. This is an informational scan-result referenced in the repo, not an indication of hidden exfiltration.
Assessment
This skill appears to do what it says: manage a single local wallet and perform read/write actions on BSC via PancakeSwap V3. Before installing, consider the following: 1) The skill will create and use ~/.config/atxswap for keystore and secret storage and may auto-save the wallet password — treat those files as sensitive. 2) The skill relies on atxswap-sdk from npm; review or trust that SDK before installing. 3) The skill will not accept importing an existing private key (it creates a new wallet); do not attempt to paste private keys into chat. 4) Prefer exporting keystore to a file (--out) rather than printing the keystore JSON into chat. 5) If you need stronger isolation, run the skill in a sandboxed or disposable environment and point BSC_RPC_URL to a private RPC if desired. If you want more assurance, review the atxswap-sdk source code and confirm how it saves passwords/keys (master.key / secrets.json) before using real funds.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

OSLinux · macOS
Binsnode, npm
atxvk971p1tgvsdte1q4rrt42qqvvh85eez1atxswapvk971p1tgvsdte1q4rrt42qqvvh85eez1bscvk971p1tgvsdte1q4rrt42qqvvh85eez1latestvk971p1tgvsdte1q4rrt42qqvvh85eez1tradingvk971p1tgvsdte1q4rrt42qqvvh85eez1
106downloads
0stars
4versions
Updated 1h ago
v0.0.4
MIT-0
Linux, macOS
atxswap@agentswapx
atxatxswapbsclatesttrading
Download

ATXSwap Skill

Execute ATX trading and wallet workflows on BSC. This skill is designed for agents that need safe, repeatable commands for wallet management, ATX/USDT quotes, swaps, V3 liquidity actions, and transfers.

  • SDK: atxswap-sdk on npm (source)
  • Keystore dir: ~/.config/atxswap/keystore (fixed, not configurable)
  • Secrets dir: ~/.config/atxswap/ (master.key + secrets.json)

Use This Skill For

  • Create the single wallet used by this skill instance (importing an existing private key is not supported)
  • Query ATX price, balances, LP positions, quotes, and arbitrary ERC20 token info
  • Buy or sell ATX against USDT on PancakeSwap V3
  • Add liquidity, remove liquidity, collect fees, or burn empty LP NFTs
  • Transfer BNB, ATX, USDT, or arbitrary ERC20 tokens

Before First Use

This skill ships its own Node scripts and depends on atxswap-sdk.

  1. Open the skill directory where this SKILL.md is installed.
  2. Run npm install there before using any script.
  3. If npm install fails, stop and report the dependency error instead of guessing.

If the skill is installed via ClawHub or OpenClaw CLI, the install location is typically ~/.clawhub/skills/atxswap/ (or the equivalent client-managed path). If you cloned this repository directly, the location is skills/atxswap/.

Script Location

Use the skill directory path to locate scripts. If ${SKILL_DIR} is available (injected by skills.sh-compatible runtimes), use it; otherwise use the absolute path to this skill's installed directory.

Example:

cd skills/atxswap && npm install
cd "${SKILL_DIR}" && node scripts/wallet.js list

All examples below use cd "${SKILL_DIR}" && for clarity. If your runtime does not inject ${SKILL_DIR}, replace it with the absolute path of the installed skill directory.

Runtime Notes

  • BSC_RPC_URL is optional and supports comma-separated values for fallback, e.g. BSC_RPC_URL="https://primary,https://backup1,https://backup2". When unset, scripts use a built-in fallback list of 8 BSC public RPC endpoints and viem will retry them in order.
  • Wallet files live under ~/.config/atxswap/keystore.
  • Secure secrets live under ~/.config/atxswap/ (master.key + secrets.json).
  • Only one wallet is allowed per skill installation. If a wallet already exists, wallet.js create fails.
  • Use wallet.js list before creating a wallet.
  • Importing an existing private key via this skill is not supported. If the user asks to import a private key, refuse and tell them to use a dedicated wallet tool of their choice.
  • Scripts write JSON output. wallet.js export prints the address's encrypted keystore V3 JSON to stdout (or writes it to a file via --out <file>); it never prints the raw private key.
  • query.js quote can return a JSON error if the configured Quoter or RPC rejects the simulation. Surface the error and do not proceed to a write.

Password Rules

When the user asks to create a wallet:

  1. Ask the user for a password first (do NOT generate one).
  2. Pass it via --password <pwd> to the script when running non-interactively.
  3. The password is auto-saved to secure storage after creation.
  4. Never print the password back to the chat.

For swap, transfer, and liquidity operations, rely on auto-unlock first. Only ask for the password if auto-unlock fails.

Hard Safety Rules

  1. Treat all BSC writes as real-asset operations.
  2. NEVER output private keys or passwords in chat.
  3. ALWAYS run a preview before write actions: query price, quote, balance, or positions as appropriate.
  4. ALWAYS show the preview to the user and wait for explicit confirmation before swap, transfer, or liquidity writes.
  5. NEVER execute large trades without the user saying "yes" or "confirm".
  6. wallet.js export only emits the encrypted keystore JSON, never the raw private key. There is no command that prints the unencrypted private key, and the agent must not attempt to derive or display one.
  7. Prefer wallet.js export <address> --out <file> and tell the user the file path. Avoid pasting the keystore JSON itself into chat unless the user explicitly asks for it.

Required Preview Flow

Before every write action:

  1. Query the price, quote, balance, or positions that match the requested action.
  2. Summarize the preview in plain language.
  3. Ask the user to confirm.
  4. Execute the write command only after confirmation.
  5. Return the transaction hash and the key result fields.

High-Value Workflows

Check market state

cd "${SKILL_DIR}" && node scripts/query.js price
cd "${SKILL_DIR}" && node scripts/query.js balance <address>
cd "${SKILL_DIR}" && node scripts/query.js positions <address>

Preview before swap

cd "${SKILL_DIR}" && node scripts/query.js quote <buy|sell> <amount>

Execute after confirmation

cd "${SKILL_DIR}" && node scripts/swap.js buy <usdtAmount> [--from address] [--slippage bps] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/liquidity.js add <atxAmount> <usdtAmount> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/transfer.js atx <to> <amount> [--from address] [--password <pwd>]

Command Reference

wallet.js

cd "${SKILL_DIR}" && node scripts/wallet.js create [name] --password <pwd>
cd "${SKILL_DIR}" && node scripts/wallet.js list
cd "${SKILL_DIR}" && node scripts/wallet.js export <address> [--out <file>]
cd "${SKILL_DIR}" && node scripts/wallet.js has-password <address>
cd "${SKILL_DIR}" && node scripts/wallet.js forget-password <address>

query.js

cd "${SKILL_DIR}" && node scripts/query.js price
cd "${SKILL_DIR}" && node scripts/query.js balance <address>
cd "${SKILL_DIR}" && node scripts/query.js quote <buy|sell> <amount>
cd "${SKILL_DIR}" && node scripts/query.js positions <address>
cd "${SKILL_DIR}" && node scripts/query.js token-info <tokenAddress>

swap.js

cd "${SKILL_DIR}" && node scripts/swap.js buy <usdtAmount> [--from address] [--slippage bps] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/swap.js sell <atxAmount> [--from address] [--slippage bps] [--password <pwd>]

liquidity.js

cd "${SKILL_DIR}" && node scripts/liquidity.js add <atxAmount> <usdtAmount> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/liquidity.js remove <tokenId> <percent> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/liquidity.js collect <tokenId> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/liquidity.js burn <tokenId> [--from address] [--password <pwd>]

transfer.js

cd "${SKILL_DIR}" && node scripts/transfer.js bnb <to> <amount> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/transfer.js atx <to> <amount> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/transfer.js usdt <to> <amount> [--from address] [--password <pwd>]
cd "${SKILL_DIR}" && node scripts/transfer.js token <tokenAddress> <to> <amount> [--from address] [--password <pwd>]

When To Refuse Or Pause

  • Missing wallet but the user requests a write action
  • Missing confirmation for swap, transfer, or liquidity writes
  • npm install has not been run successfully in the skill directory
  • RPC, dependency, or wallet-unlock errors that make the state unclear

Standard Workflow

For any write action:

  1. Query current price, quote, balance, or positions as needed.
  2. Summarize the preview for the user.
  3. Wait for explicit confirmation.
  4. Execute the write command.
  5. Report the transaction hash and result.

Comments

Loading comments...