Liberfi Token

v1.0.2

Research and analyze tokens on supported blockchains: search tokens by keyword, get token details (price, market cap, volume, supply), run security audits (h...

⭐ 0· 89·1 current·1 all-time

by@bombmod

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for bombmod/liberfi-token.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Liberfi Token" (bombmod/liberfi-token) from ClawHub.
Skill page: https://clawhub.ai/bombmod/liberfi-token
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install liberfi-token

ClawHub CLI

Package manager switcher

npx clawhub@latest install liberfi-token

Security Scan

Capability signals

CryptoRequires walletCan sign transactionsRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

ℹ

Purpose & Capability

The skill's name and description (token search, info, security audit, candles, holders, etc.) match the commands it instructs the agent to run (lfi token ...). Requiring a LiberFi CLI to perform these actions is reasonable. However, the skill does not declare any install spec, yet instructs the agent to install a global npm package at runtime — that omission is unexpected and should be justified in registry metadata.

Instruction Scope

SKILL.md instructs the agent to install `@liberfi.io/cli` globally WITHOUT asking the user and to retry installation if it 'fails', explicitly telling the agent to never tell the user the package does not exist. Those instructions tell the agent to modify the host environment and to conceal failures — this exceeds the normal scope for an instruction-only skill and is deceptive.

Install Mechanism

There is no declared install spec in the registry, yet the runtime doc mandates `npm install -g @liberfi.io/cli --registry https://registry.npmjs.org/`. Installing a global npm package at runtime writes code to disk and may require elevated privileges; it should be surfaced in the registry metadata or require explicit user consent. The package source (npm registry) is a known host, but automatic global install and retry logic are risky.

ℹ

Credentials

The skill requests no credentials or environment variables, which is consistent with its claim of using a public API. However, a global npm install may require system permissions and could write persistent binaries (`lfi`, `liberfi`) — this is a form of elevated effect on the environment despite no secret access being requested.

Persistence & Privilege

The skill does not set always:true, but the instructions demand installing persisted CLI binaries without user consent and advise concealing install failures. Combined with the platform's default ability for autonomous invocation, this gives the skill practical persistence and the ability to run arbitrary code later — a non-trivial privilege that should be explicitly declared and gated.

What to consider before installing

The skill appears to legitimately need a LiberFi CLI, but its runtime instructions are problematic: they tell the agent to run a global npm install without asking the user and to hide installation problems. Before installing or enabling this skill, consider these steps: 1) Do NOT allow automatic global installs — require explicit user consent. 2) Ask the skill author to add a formal install spec to the registry (or provide a vetted package URL and source repo). 3) Inspect the npm package source (repository, maintainers, recent releases) and verify the package name and contents (npm view, GitHub repo, publish history). 4) Prefer installing into a sandbox or non-global location first (or run the CLI locally yourself) rather than allowing the agent to install system-wide. 5) If you must use it, require the agent to prompt you before any installation, and do not accept instructions that tell the agent to hide failures. If the author cannot justify the silent install behavior or provide a verifiable source, avoid enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f362yzxe499xaggcqhax201857h1y

89downloads

0stars

3versions

Updated 1w ago

v1.0.2

MIT-0

LiberFi Token Research

Search, analyze, and audit tokens across supported blockchains using the LiberFi CLI.

Pre-flight Checks

See bootstrap.md for CLI installation and connectivity verification.

This skill's auth requirements:

All commands: No authentication required (public API)

Skill Routing

If user asks about...	Route to
Trending tokens, top gainers, hot tokens	liberfi-market
Newly listed tokens, new launches	liberfi-market
Wallet holdings, balance, portfolio	liberfi-portfolio
Wallet PnL, trading stats	liberfi-portfolio
Swap, trade, buy, sell tokens	liberfi-swap
Transaction fees, gas estimation	liberfi-swap
Send / broadcast a transaction	liberfi-swap

CLI Command Index

Query Commands

Command	Description	Auth
`lfi token search --q <query> [--chains <chains>] [--limit <n>]`	Search tokens by keyword	No
`lfi token info <chain> <address>`	Get token details (price, MC, volume, supply)	No
`lfi token security <chain> <address>`	Run security audit (honeypot, mint, tax, proxy)	No
`lfi token pools <chain> <address> [--limit <n>]`	List DEX liquidity pools	No
`lfi token holders <chain> <address> [--limit <n>]`	List top token holders	No
`lfi token traders <chain> <address> [--tag <tag>]`	List top traders (default: smart money)	No
`lfi token candles <chain> <address> --resolution <res>`	Get K-line candlestick data	No

Parameter Reference

Common pagination options (apply to search, pools, holders, traders):

--cursor <cursor> — Pagination cursor from previous response
--limit <limit> — Max results per page
--direction <direction> — Cursor direction: next or prev

Candle-specific options:

--resolution <resolution> — Required. Values: 1m, 5m, 15m, 1h, 4h, 1d
--price-type <type> — Price type
--from <timestamp> — Start timestamp
--to <timestamp> — End timestamp
--limit <limit> — Max candles to return

Traders tag options: smart (default), kol, whale, insider

Operation Flow

Search for a Token

Search: lfi token search --q "bitcoin" --json
Present results: Show token name, symbol, chain, address, and price in a table
Suggest next step: "Would you like to see details for any of these tokens?"

Get Token Details

Fetch info: lfi token info <chain> <address> --json
Present: Display name, symbol, price, market cap, volume, supply, FDV
Suggest next step: "Want to check the security audit or see the liquidity pools?"

Run Security Audit

Fetch security: lfi token security <chain> <address> --json
Analyze result: Check for honeypot, mint risk, proxy contract, buy/sell tax
Present risk summary: If any flags are raised, clearly warn the user with risk level
Suggest next step: If safe — "Want to check the liquidity pools or get a swap quote?" / If risky — "This token has risk flags. Proceed with caution."

Analyze Token Holders

Fetch holders: lfi token holders <chain> <address> --json
Present: Show top holders with address (truncated), holding amount, percentage
Highlight: Flag if top 10 holders control >50% supply (concentration risk)
Suggest next step: "Want to see smart money traders for this token?"

View Smart Money Traders

Fetch traders: lfi token traders <chain> <address> --tag smart --json
Present: Show trader addresses, trade direction, amounts
Suggest next step: "Want to check the K-line chart for entry timing?"

Get K-line / Price Chart Data

Determine resolution: Ask user or infer from context (e.g. "last hour" → 1m, "last week" → 1h, "last month" → 1d)
Fetch candles: lfi token candles <chain> <address> --resolution <res> --json
Present: Summarize price trend — open, close, high, low, volume
Suggest next step: "Want to get a swap quote for this token?"

Cross-Skill Workflows

"Help me research this token before buying"

Full flow: token → token → token → swap

token → lfi token info <chain> <address> --json — Get price, market cap
token → lfi token security <chain> <address> --json — Security audit
token → lfi token holders <chain> <address> --json — Check holder concentration
token → lfi token traders <chain> <address> --tag smart --json — Smart money activity
Present consolidated research report to user
If user wants to buy → swap → lfi swap quote ...

"What tokens are trending, and tell me about the top one"

Full flow: market → token → token

market → lfi ranking trending <chain> <duration> --json — Get trending list
token → lfi token info <chain> <address> --json — Details on #1 token
token → lfi token security <chain> <address> --json — Security audit
Present findings to user

"Check if this token in my wallet is safe"

Full flow: portfolio → token

portfolio → lfi wallet holdings <chain> <walletAddress> --json — Get holdings
User selects a token from holdings
token → lfi token security <chain> <tokenAddress> --json — Security check
Present security results

Suggest Next Steps

Just completed	Suggest to user
Token search	"Want to see details for any of these tokens?" / "需要查看哪个代币的详情？"
Token info	"Want to check the security audit or liquidity pools?" / "需要查看安全审计或流动性池？"
Token security	"Want to see holders or smart money traders?" / "需要查看持有者或聪明钱交易者？"
Token pools	"Want to check the holder distribution?" / "需要查看持有者分布？"
Token holders	"Want to see smart money traders?" / "需要查看聪明钱交易者？"
Token traders	"Want to check the K-line chart?" / "需要查看K线走势？"
Token candles	"Want to get a swap quote?" / "需要获取兑换报价？"

Edge Cases

Token not found: If token search returns empty, inform the user: "No tokens found for this keyword. Try a different name, symbol, or contract address."
Invalid chain or address: If the API returns a 400/404 error, ask the user to verify the chain name (e.g. sol, eth, bsc) and the contract address format
Network timeout: Retry once after 3 seconds; if still fails, inform the user to check connectivity via lfi ping --json
Empty holders / traders / pools: Clearly state "No data available" — do not leave the response blank
Security audit unavailable: Some tokens may not have security data; inform the user that the audit is not available and recommend manual due diligence
Rate limiting: If the API returns 429, wait the duration indicated and retry; inform the user of the delay

Security Notes

See security-policy.md for global security rules.

Skill-specific rules:

Token security audits are informational only — they do not guarantee safety; always advise users to do their own research (DYOR)
Never claim a token is "safe" based solely on the security audit passing — state findings factually
If a token shows honeypot or high tax flags, proactively warn the user before they attempt any swap

Comments

Loading comments...