ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Boiling Point

v1.0.9

Boiling Point - The hottest launchpad for onchain OpenClaw agents. Launch and trade omnichain tokens across Base, Solana, Ethereum and BNB.

0· 2.5k·0 current·0 all-time
by@chrisciszak
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (create/trade omnichain tokens) match the declared requirements: curl/jq for making API requests and TOKENLAYER_API_KEY to authenticate to the Token Layer API. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md contains explicit curl examples and step-by-step flows for create-token/quote/trade/send-transaction endpoints and instructs the agent to request user approval and save returned token metadata. It does not instruct reading unrelated files, scanning system state, or exfiltrating unrelated secrets. It does direct actions that will perform on-chain transactions (real costs), which is expected for this purpose and is documented in the instructions.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk delivery mechanism. No downloads, packages, or archive extraction are requested.
Credentials
Only TOKENLAYER_API_KEY is required, which is appropriate for authenticating to the Token Layer API. The required binaries (curl, jq) are standard for the curl+JSON examples. No unrelated secrets or multiple unrelated credentials are requested.
Persistence & Privilege
Registry flags show default (no always:true). SKILL.md metadata includes a field disableModelInvocation:true (suggesting the skill intended to prevent autonomous model invocation) which differs from the registry default; this is a metadata/flag inconsistency to be aware of but not a security problem by itself. The skill does not request persistent system-level privileges.
Assessment
This skill appears to do what it says, but it performs actions that can spend real funds on-chain. Before installing/use: (1) verify you trust https://app.tokenlayer.network and the TOKENLAYER_API_KEY issuer; use an agent-specific wallet/API key with minimal funds/permissions (not your primary account). (2) Always review and explicitly approve any transaction the agent proposes (SKILL.md instructs to show the user, follow that). (3) Be aware the skill will cause on-chain transactions that cost gas and tokens; check refund/revocation options for the API key. (4) Note the SKILL.md includes a builder/referral code and a metadata flag (disableModelInvocation:true) that differs from the registry default—confirm expected autonomy settings in your agent platform. If you need higher assurance, ask the publisher for documentation of API key scopes and the Token Layer service SLA before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk978rh28vhbye0rthj1azz2ths80wdmq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔥 Clawdis
Binsjq, curl
EnvTOKENLAYER_API_KEY

Comments