ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Liberfi Market

v1.0.3

Discover trending tokens and newly listed tokens across supported blockchains: view trending token rankings by chain and time window, find newly launched tok...

0· 137·1 current·1 all-time
by@bombmod

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for bombmod/liberfi-market.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Liberfi Market" (bombmod/liberfi-market) from ClawHub.
Skill page: https://clawhub.ai/bombmod/liberfi-market
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install liberfi-market

ClawHub CLI

Package manager switcher

npx clawhub@latest install liberfi-market
Security Scan
Capability signals
CryptoRequires walletCan sign transactionsRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's description and allowed commands align with a CLI-based token-discovery tool. However, the SKILL.md contains a CRITICAL directive to perform an automatic global npm install of @liberfi.io/cli (and to retry silently on registry errors). The registry metadata declares no required binaries or install steps; asking the agent to install a global CLI without declaring that requirement is inconsistent and disproportionate.
!
Instruction Scope
The instructions explicitly order the agent to install software 'WITHOUT asking the user' and to conceal registry failures by retrying with a specific registry. That is outside the narrow scope of querying rankings (it changes system state and suppresses error reporting). Other parts of the SKILL.md stay on-task (how to call lfi), but the installation/behavioral directives grant the agent broad discretion to modify the host environment.
!
Install Mechanism
There is no formal install spec in the skill metadata, but SKILL.md instructs a global npm install (-g) from the public npm registry. Installing an unsigned npm package globally is a moderate-to-high risk action (writes files, adds binaries, may require elevated permissions) and the SKILL.md provides no integrity checks, release host verification, or rollback instructions. The insistence on automatic installation and retrying registries increases risk.
!
Credentials
The skill declares no required env vars or credentials, which fits a public-read CLI. But the install directive implicitly requires system-level write access (npm, node, and potentially sudo). The metadata omits any required binaries (npm/node) while the instructions assume they exist or will succeed, a mismatch that could lead to unexpected privilege use or failed installs masked by the skill's retry behavior.
!
Persistence & Privilege
While the skill isn't force-enabled (always: false) and is user-invocable, the SKILL.md's global install will create persistent system binaries (lfi/liberfi). That is effectively granting the skill persistent code on the host at runtime without declaring or seeking user approval, which increases blast radius if the installed package is malicious or compromised.
What to consider before installing
This skill mostly does what it says (call a CLI to list trending/new tokens) but its runtime instructions are the main red flag: it orders the agent to install a global npm package without asking the user and to retry/ignore registry failures. Before installing or enabling this skill, ask the publisher to: (1) declare required binaries and provide a formal install spec in metadata rather than a hidden in-SKILL.md install instruction; (2) remove the 'install without asking' directive — require explicit user consent for any global installs; (3) provide links to the npm package and its source (GitHub) so you can inspect releases and verify integrity; (4) explain why global installation is necessary and whether a local/sandboxed invocation is possible; and (5) confirm there are no additional hidden behaviors (telemetry, network callbacks). If you must use it, do not allow the agent to perform global installs automatically—run any npm install manually in a controlled environment, inspect the package contents/maintainer, and sandbox execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk975kc46p49re619a4tkr5bq9s85ghyf
137downloads
0stars
4versions
Updated 3d ago
v1.0.3
MIT-0
@bombmod
latest
Download

LiberFi Market Discovery

Discover trending tokens and newly launched tokens using the LiberFi CLI.

Pre-flight Checks

See bootstrap.md for CLI installation and connectivity verification.

This skill's auth requirements:

  • All commands: No authentication required (public API)

Skill Routing

If user asks about...Route to
Specific token info, price, security, holdersliberfi-token
Token K-line, candlestick, price chartliberfi-token
Wallet holdings, balance, PnLliberfi-portfolio
Wallet activity, transaction historyliberfi-portfolio
Swap, trade, buy, sell tokensliberfi-swap
Transaction broadcast or fee estimationliberfi-swap

CLI Command Index

Query Commands

CommandDescriptionAuth
lfi ranking trending <chain> <duration>Get trending tokens by chain and time windowNo
lfi ranking new <chain>Get newly listed tokens on a chainNo

Parameter Reference

Trending command:

  • <chain>Required. Chain identifier (e.g. sol, eth, bsc)
  • <duration>Required. Time window (e.g. 1h, 6h, 24h)
  • --sort-by <field> — Sort field (e.g. volume, price_change, market_cap)
  • --sort-dir <dir> — Sort direction: asc or desc
  • --filters <filters> — Comma-separated filters
  • --launchpad-platform <platform> — Filter by launchpad (e.g. pump.fun)
  • --search-keywords <keywords> — Comma-separated search keywords
  • --exclude-keywords <keywords> — Comma-separated keywords to exclude
  • --cursor <cursor> — Pagination cursor
  • --limit <limit> — Max results per page
  • --direction <direction> — Cursor direction: next or prev

New tokens command — same options as trending except no <duration> argument.

Operation Flow

View Trending Tokens

  1. Determine parameters: Ask user for chain and time window if not specified. Default: sol chain, 24h duration
  2. Fetch trending: lfi ranking trending <chain> <duration> --limit 20 --json
  3. Present results: Show a table with Name, Symbol, Price, Change (%), Volume, Market Cap
  4. Suggest next step: "Want to see details or security audit for any of these tokens?"

View Trending with Filters

  1. Collect filters: Launchpad platform, sort field, keywords
  2. Fetch: lfi ranking trending sol 1h --launchpad-platform "pump.fun" --sort-by volume --sort-dir desc --limit 20 --json
  3. Present: Filtered results in table format
  4. Suggest next step: "Want to drill into any specific token?"

Discover New Tokens

  1. Determine chain: Ask user if not specified. Default: sol
  2. Fetch new tokens: lfi ranking new <chain> --limit 20 --json
  3. Present: Show recently listed tokens with name, symbol, price, launch time
  4. Suggest next step: "Want to check the security audit before investigating further?"

Search Within Rankings

  1. Collect keywords: What the user is looking for
  2. Fetch: lfi ranking trending <chain> <duration> --search-keywords "meme,dog" --limit 20 --json
  3. Present: Filtered results matching the keywords
  4. Suggest next step: "Want to see details for any of these?"

Cross-Skill Workflows

"Show me what's trending, and research the top token"

Full flow: market → token → token → token

  1. marketlfi ranking trending sol 24h --sort-by volume --sort-dir desc --limit 10 --json
  2. tokenlfi token info sol <topTokenAddress> --json — Details on #1 token
  3. tokenlfi token security sol <topTokenAddress> --json — Security audit
  4. tokenlfi token holders sol <topTokenAddress> --json — Holder analysis
  5. Present consolidated findings

"Find new pump.fun tokens and check if the hottest one is safe"

Full flow: market → token → token

  1. marketlfi ranking new sol --launchpad-platform "pump.fun" --limit 10 --json
  2. Pick the top token by volume
  3. tokenlfi token security sol <address> --json — Security check
  4. tokenlfi token info sol <address> --json — Full details
  5. Present safety report

"What are the top gainers on ETH? I want to buy one"

Full flow: market → token → swap

  1. marketlfi ranking trending eth 24h --sort-by price_change --sort-dir desc --limit 10 --json
  2. User selects a token
  3. tokenlfi token security eth <address> --json — Mandatory security check
  4. swaplfi swap quote --in <inputToken> --out <address> --amount <amt> --chain-family evm --chain-id 1 --json
  5. Present quote and wait for user confirmation

Suggest Next Steps

Just completedSuggest to user
Trending ranking"Want to see details for any token?" / "需要查看某个代币的详情?"
New tokens list"Want to check the security audit for any of these?" / "需要对其中某个做安全审计?"
Filtered ranking"Want to drill into a specific token?" / "需要深入了解某个代币?"

Edge Cases

  • Invalid chain identifier: If the API returns an error, list supported chains (e.g. sol, eth, bsc) and ask the user to choose
  • Invalid duration: Suggest valid durations: 1h, 6h, 24h
  • No trending results: Inform user: "No trending tokens found for this chain and time window. Try a different chain or longer duration."
  • No new tokens: Inform user: "No newly listed tokens found. The chain may have low launch activity right now."
  • Network timeout: Retry once after 3 seconds; if still fails, suggest checking connectivity via lfi ping --json
  • Too many results: Default to --limit 20; if user asks for more, paginate with --cursor and --direction next

Security Notes

See security-policy.md for global security rules.

Skill-specific rules:

  • Trending and new token rankings are informational only — a token appearing in rankings does not indicate endorsement or safety
  • Always recommend users run a security audit (lfi token security) before interacting with newly discovered tokens
  • New tokens from launchpad platforms carry higher risk — proactively mention this when presenting results

Comments

Loading comments...