ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Smoothsend Gasless

v1.0.0

How to sponsor gas fees for Aptos dApp users using SmoothSend. Paid commercial service: free on testnet, credit-based on mainnet. Covers 3-line wallet adapte...

0· 181·0 current·0 all-time
by@iskysun96

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for iskysun96/smoothsend-gasless.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Smoothsend Gasless" (iskysun96/smoothsend-gasless) from ClawHub.
Skill page: https://clawhub.ai/iskysun96/smoothsend-gasless
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install smoothsend-gasless

ClawHub CLI

Package manager switcher

npx clawhub@latest install smoothsend-gasless
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md content matches the stated purpose (how to sponsor Aptos gas using SmoothSend) and the recommended dependencies (@smoothsend/sdk, Aptos wallet adapter) are appropriate. However, the registry metadata declares no required env vars while the instructions clearly require an API key (NEXT_PUBLIC_SMOOTHSEND_API_KEY or VITE_SMOOTHSEND_API_KEY), which is an inconsistency.
Instruction Scope
Instructions are focused on integrating SmoothSend (provider setup, Script Composer, error handling). They explicitly tell developers to store an API key in env vars and to handle 402 errors. A notable instruction-level risk: the guidance recommends client-prefixed env vars (NEXT_PUBLIC_/VITE_) which will expose the API key to browsers — the doc warns not to expose server-only keys but doesn't clearly explain the security implications or alternatives (server-side proxy, scoped keys). The skill also suggests running an npx tool (npx @smoothsend/mcp) — benign for documentation but not declared in metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes direct install risk. It references installing npm packages (@smoothsend/sdk and wallet adapter) but does not attempt to fetch arbitrary archives or run installers on behalf of the user.
!
Credentials
The skill metadata lists no required environment variables, yet the runtime instructions mandate an API key (NEXT_PUBLIC_SMOOTHSEND_API_KEY or VITE_SMOOTHSEND_API_KEY). Requesting an API key is reasonable for this integration, but using NEXT_PUBLIC_/VITE_ implies the key will be shipped to clients; the docs do not justify the key's intended exposure model, nor do they discuss scopes, revocation, or a server-side alternative. This mismatch between declared requirements and instructions is a proportionality and transparency concern.
Persistence & Privilege
The skill does not request persistent installation privileges (always is false), does not modify other skills or system configs, and has no declared config paths. There is no evidence it requests elevated runtime privileges.
What to consider before installing
This SKILL.md appears to be a legitimate integration guide for SmoothSend, but note two things before you rely on or install it: (1) the registry metadata does not declare the API key it actually requires — the guide expects NEXT_PUBLIC_SMOOTHSEND_API_KEY or VITE_SMOOTHSEND_API_KEY. Confirm whether that key is meant to be public (client-visible) or private; if it is sensitive, prefer a server-side proxy or a scoped key mechanism. (2) Exposing an API key in client-side env vars can allow anyone to use your SmoothSend credits unless the provider issues client-scoped, rate-limited keys — check SmoothSend docs and dashboard for key scopes, revocation, and billing controls. Additional checks: verify the @smoothsend/sdk package and any CLI tools (npx @smoothsend/mcp) come from the official SmoothSend npm/org, test everything on testnet first (it's free), and set up billing/alerting to detect unexpected credit usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk971e16qj0058aawtxph4rfntd834h2n
181downloads
0stars
1versions
Updated 20h ago
v1.0.0
MIT-0
@iskysun96
latest
Download

TypeScript SDK: SmoothSend Gasless Transactions

Purpose

Guide gasless transaction sponsorship on Aptos using SmoothSend. Users sign transactions via their wallet but never pay gas — you pay per transaction from pre-loaded credits. Works as a drop-in transactionSubmitter for AptosWalletAdapterProvider.

Paid commercial service: Free on testnet; mainnet uses credit-based billing. See Pricing for current rates.

ALWAYS

  1. Use @smoothsend/sdk — official npm package for SmoothSend integration.
  2. Pass SmoothSendTransactionSubmitter as transactionSubmitter in AptosWalletAdapterProvider — this enables gasless for all signAndSubmitTransaction calls.
  3. Store API key in env — use NEXT_PUBLIC_SMOOTHSEND_API_KEY or VITE_SMOOTHSEND_API_KEY (never hardcode).
  4. Use testnet for development — testnet is always free; no credits required.
  5. Handle 402 (Insufficient credits) — API returns 402 when credits run out; show user-friendly message and link to billing.

NEVER

  1. Do not expose API key in server-side only apps to client — for frontend, use NEXT_PUBLIC_ or VITE_ prefixed env vars.
  2. Do not skip transactionSubmitter — without it, users pay gas themselves; the provider falls back to normal submission.
  3. Do not use Script Composer for arbitrary transactions — Script Composer is for stablecoin transfers (USDC, USDT, etc.) only; use Wallet Adapter for everything else.

Method 1: Wallet Adapter (Recommended — Any Transaction)

Use for swaps, NFT mints, contract calls — any transaction type.

Installation

npm install @smoothsend/sdk @aptos-labs/wallet-adapter-react

Provider Setup (3 lines)

import { SmoothSendTransactionSubmitter } from "@smoothsend/sdk";
import { AptosWalletAdapterProvider } from "@aptos-labs/wallet-adapter-react";
import { Network } from "@aptos-labs/ts-sdk";

const smoothSend = new SmoothSendTransactionSubmitter({
  apiKey: process.env.NEXT_PUBLIC_SMOOTHSEND_API_KEY!,
  network: "mainnet" // or 'testnet' (always free)
});

export function Providers({ children }: { children: React.ReactNode }) {
  return (
    <AptosWalletAdapterProvider
      autoConnect={true}
      dappConfig={{
        network: Network.MAINNET,
        transactionSubmitter: smoothSend
      }}
      onError={(error) => console.error("Wallet error:", error)}
    >
      {children}
    </AptosWalletAdapterProvider>
  );
}

After this, every signAndSubmitTransaction call is gasless. No other code changes needed.

Method 2: Script Composer (Fee-in-Token — Stablecoin Only)

Use for USDC, USDT, WBTC, USDe, USD1 transfers. Fee (~$0.01) is deducted from the token being sent — no APT or SmoothSend credits required.

import { ScriptComposerClient } from "@smoothsend/sdk";

const client = new ScriptComposerClient({
  apiKey: process.env.NEXT_PUBLIC_SMOOTHSEND_API_KEY!,
  network: "mainnet"
});

// USDC Mainnet asset address
const USDC_ASSET = "0xbae207659db88bea0cbead6da0ed00aac12edcdda169e591cd41c94180b46f3b";

const build = await client.buildTransfer({
  sender: walletAddress,
  recipient: "0xRecipient...",
  amount: "1000000", // 1 USDC (6 decimals)
  assetType: USDC_ASSET,
  decimals: 6,
  symbol: "USDC"
});

// Sign with wallet, then submit build.signedTransaction

Error Handling

try {
  const response = await signAndSubmitTransaction(payload);
  await aptos.waitForTransaction({ transactionHash: response.hash });
} catch (error: any) {
  if (error?.status === 402 || error?.message?.includes("Insufficient credits")) {
    // Credits exhausted — show upgrade CTA
    toast.error("Service temporarily unavailable. Please try again later.");
    window.open("https://dashboard.smoothsend.xyz/billing", "_blank");
  } else {
    throw error;
  }
}

Pricing

See SmoothSend Pricing for current rates. Testnet is free; mainnet uses credit packs.

Common Mistakes

MistakeCorrect approach
Forgetting transactionSubmitterPass smoothSend in dappConfig
Hardcoding API keyUse env var with NEXT_PUBLIC_ or VITE_ prefix
Using Script Composer for non-transfer txUse Wallet Adapter for swaps, mints, contract calls
Not handling 402Catch and show user-friendly message + billing link
Wrong networkMatch network in SmoothSend config to dappConfig.network

References

Comments

Loading comments...