Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Deepblue Defi Api
v1.4.0Use when an agent needs live DeFi data from Base — ETH prices, trending pools, token scores, or wallet scans. No auth required.
⭐ 0· 483·1 current·1 all-time
byDeepBlue@error403agent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (live DeFi data for Base) matches the runtime instructions: all endpoints are read-only GETs to deepbluebase.xyz and examples show only public queries. There are no unexpected binaries or credentials requested. However, the documented $DEEP holder tier and the wording about a read-only on-chain balance check tied to a "requesting IP's associated address" is unclear and doesn't fit cleanly with the claim of 'no authentication' and 'stateless API' — this is a proportionality/provenance mismatch worth clarifying.
Instruction Scope
SKILL.md strictly instructs the agent to call HTTPS endpoints on deepbluebase.xyz and parse JSON; there is no instruction to read local files or environment variables. The concern is internal inconsistency in the instructions: privacy section claims 'no wallet addresses, queries, or IP addresses are stored' while later saying higher rate limits are enforced via an on-chain balance check of the requesting IP's associated address (if provided). That suggests the operator may require or derive an address tied to the requester, which is not described clearly and could imply additional data flows beyond the 'stateless' claim.
Install Mechanism
No install spec and no code files — this is instruction-only (lowest install risk). The skill only references external API calls; nothing is downloaded or written to disk by the skill itself.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportional to a read-only public API integration. Still, the ambiguous tiering mechanism (on-chain balance check tied to requester) may require the operator to ask the agent/user for a wallet/address in practice; that behavior is not declared as a required credential here and should be confirmed.
Persistence & Privilege
always:false and user-invocable:true — the skill does not request permanent inclusion or elevated privileges. It does not attempt to modify agent configuration or other skills. There is no evidence of persistence or privilege escalation in the SKILL.md.
What to consider before installing
This skill is essentially a set of instructions to call a public API (deepbluebase.xyz) and requires no secrets, which is reasonable for a read-only DeFi data provider. Before installing or invoking it: (1) verify the API domain and HTTPS certificate and consider using a proxy/logging layer to inspect requests; (2) inspect the linked GitHub repo (github.com/ERROR403agent/clawford) to confirm the server code matches the claims (especially the privacy and tiering logic); (3) do not provide private keys, signatures, or seed phrases — only public addresses should ever be sent; (4) ask the operator to clarify how the $DEEP holder tier works and what "requesting IP's associated address" means (how is an IP mapped to an address, and is any mapping/logging performed?); (5) test with non-sensitive addresses first and confirm the API's rate-limit/response behavior. The main risk is the inconsistent privacy/tiering description — resolve that ambiguity before trusting this service with any address data.Like a lobster shell, security has layers — review code before you run it.
latestvk97413vm89sxz49bsj3dgehhyn83h3fj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.