ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Token Research

v1.0.0

Comprehensive token research for EVM chains (Base, ETH, Arbitrum) and Solana. Use this skill when you want to research crypto tokens, deep-dive projects or m...

0· 320·1 current·1 all-time
by@0xartex

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for 0xartex/token-research.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Token Research" (0xartex/token-research) from ClawHub.
Skill page: https://clawhub.ai/0xartex/token-research
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install token-research

ClawHub CLI

Package manager switcher

npx clawhub@latest install token-research
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (token research for EVM chains + Solana) aligns with the code and instructions: dexscreener, GoPlus, Etherscan/Basescan calls and web searches. However, the skill also mandates contacting an 'owner' (via a local script and messaging) and auto-appending watchlists/reports in the workspace — behaviors that go beyond pure read-only research and require filesystem and external messaging capabilities that are not declared.
!
Instruction Scope
SKILL.md instructs the agent to call external APIs (DexScreener, GoPlus, Twitter API endpoint), to run a local script at ~/workspace/scripts/ape-call.sh, to send Telegram/Discord/WhatsApp DMs and to spawn parallel sub-agents and auto-deep-dive top picks without user confirmation. It also requires appending watchlist and report files. These instructions direct network calls and writes and compel outbound communication (owner calls/DMs) that are not limited or qualified in the metadata.
Install Mechanism
No install spec; an instruction-only skill plus a single included shell script (fetch_token_data.sh). No arbitrary downloads or extract operations. The presence of a helper script is expected for this purpose.
!
Credentials
The SKILL.md and examples require/use environment variables (e.g., $TWITTERAPI_KEY) and imply use of API keys (Etherscan, possibly GoPlus) but the registry metadata lists no required env vars or primary credential. The skill also expects access to ~/workspace scripts and to be able to send messages to the 'owner' — credentials or tokens for messaging platforms are neither declared nor justified in the manifest.
Persistence & Privilege
always:false (good). But the instructions require appending files under reports/ and watchlists/ and mandate calling an owner and spawning sub-agents in batch mode. Those are persistent side-effects (file writes and potentially long-running monitoring) and autonomous actions that should be explicitly declared and consented to; currently they are embedded only in SKILL.md.
What to consider before installing
What to check before installing: - Ask the publisher to declare required environment variables (at minimum: TWITTERAPI_KEY and any block-explorer API keys) in the skill metadata. Right now the skill references $TWITTERAPI_KEY but requires.env is empty. - Inspect the '~/workspace/scripts/ape-call.sh' referenced by the skill (or any 'call owner' mechanism). That script will be executed (or the skill will attempt to call it). Verify it does not exfiltrate research data or contact unknown endpoints. - Confirm how 'call owner' and 'send DM' steps are implemented and whether messaging credentials (Telegram/Discord/WhatsApp tokens) are needed — these are not declared. Do not grant messaging credentials until you verify the owner endpoint and message contents. - The skill instructs spawning parallel sub-agents and auto-deep-diving top picks. If you want to avoid autonomous multi-agent or background activity, restrict the skill's autonomous invocation or disable batch auto-deep-dive behavior. - The skill writes reports and appends watchlists under reports/ and watchlists/. Ensure you run it in an isolated workspace or that you trust these files will be appended only as described (the skill mandates 'APPEND only — never overwrite'). - Because the script makes many outbound network calls, review rate-limit and API-key usage (Etherscan/GoPlus) to avoid unexpected failures or leaking keys in logs. - If you are unsure about the owner or scripts, run the included fetch_token_data.sh in a sandboxed environment first and/or request the author to remove mandatory 'call owner' commands or to make owner notification optional. Bottom line: functionality is plausible for token research, but missing environment/credential declarations and mandatory 'call owner' outbound actions are red flags you should resolve before installing or enabling autonomous use.

Like a lobster shell, security has layers — review code before you run it.

latestvk9789vh3anf176b9kxat75y0wd82n46p
320downloads
0stars
1versions
Updated 16h ago
v1.0.0
MIT-0
@0xartex
latest
Download

This skill is a comprehensive token research for EVM chains (Base, ETH, Arbitrum) and Solana. Two modes: deep_research and shallow_dive.

MANDATORY: CALL Owner FOR WATCH OR APE TOKENS

ANY token rated WATCH 🟡 or APE 🟢 → IMMEDIATELY call your owner + send Telegram/discord/whatsapp DM. NO EXCEPTIONS.

  1. Run ~/workspace/scripts/ape-call.sh "WATCH/APE alert: $TICKER at $MCAPk mcap, $VOLk volume. [1-line reason]" ( or call normally if there's no script )
  2. Send a DM to your owner with full analysis
  3. Do BOTH — call AND message. Every time.

DO NOT: say "if owner were awake", filter out tokens because "pure meme" or "no narrative", or process alerts without calling.

MANDATORY: ALWAYS RESEARCH ON X/TWITTER — SKIP PURE MEMES

For EVERY token, before giving a verdict, check X/Twitter:

  1. Search $TICKER and project name (Latest + Top)
  2. Check the project's Twitter account: tweets, bio, what they're building
  3. Look for a PRODUCT (website, GitHub, app, protocol)

IMPORTANT: use the 'x-research' skill to search on X.

If the product is real, CALL your owner regardless of chart action. Bad charts on real products = buying opportunity, not a skip.

Pure memes = AVOID by default. Only exception: volume 10x+ the batch average.

Reports & Watchlist

Reports: reports/YYYY-MM-DD/[report-name].md Watchlist: watchlists/YYYY-MM/watchlist.md

Watchlist Rules

  • After any research, if token has real product/team or unique narrative → append to watchlist
  • Tiers: Tier 1 (strongest), Tier 2 (good signal, higher risk), Tier 3 (speculative)
  • Each entry: token, chain, CA, entry MC, current MC, catalyst, status (🟢🟡🔴)
  • APPEND only — never overwrite. Update status when new data comes in.

DEEP RESEARCH

Phase 1: Token Fundamentals

curl -s "https://api.dexscreener.com/latest/dex/tokens/CHAIN/TOKEN_ADDRESS"
curl -s "https://api.gopluslabs.io/api/v1/token_security/CHAIN_ID?contract_addresses=TOKEN_ADDRESS"

Phase 2: X/Twitter Research (most important phase)

# Search by ticker, CA, and project name
curl -s "https://api.twitterapi.io/twitter/tweet/advanced_search?query=\$TICKER&queryType=Latest" -H "X-API-Key: $TWITTERAPI_KEY"
curl -s "https://api.twitterapi.io/twitter/tweet/advanced_search?query=TOKEN_ADDRESS&queryType=Latest" -H "X-API-Key: $TWITTERAPI_KEY"

# Project account info + tweets
curl -s "https://api.twitterapi.io/twitter/user/info?userName=PROJECT_HANDLE" -H "X-API-Key: $TWITTERAPI_KEY"
curl -s "https://api.twitterapi.io/twitter/user/last_tweets?userName=PROJECT_HANDLE" -H "X-API-Key: $TWITTERAPI_KEY"

# KOL mentions
curl -s "https://api.twitterapi.io/twitter/tweet/advanced_search?query=\$TICKER%20min_faves:50&queryType=Top" -H "X-API-Key: $TWITTERAPI_KEY"

# Founder research (if found)
curl -s "https://api.twitterapi.io/twitter/user/info?userName=FOUNDER_HANDLE" -H "X-API-Key: $TWITTERAPI_KEY"

⚠️ VERIFY dev claims from THEIR OWN ACCOUNT. Never trust holder/community claims about dev endorsement. Search from:DEV_HANDLE for mentions of the token. If dev hasn't posted about it → flag as unconfirmed.

Phase 3: Web Research

Search for: project website, team/founder background, news/partnerships, Reddit sentiment.

Phase 4: Narrative Assessment

Narrative Score (add to every report):

  • 🔥 Strong — Novel concept, viral potential, clear catalyst
  • 🟡 Moderate — Decent angle but not unique, or good concept with weak execution
  • 🧊 Weak/None — Generic, repetitive, no story → likely dumps to zero

Key questions: Is it novel? Would someone share it unprompted? Is the market tired of this category? Why hold beyond a flip?

Smart money wallet count + narrative quality are better predictors than contract safety.

Phase 5: Risk Synthesis

Combine: narrative quality, smart money interest, contract security, holder concentration, team transparency, social proof (organic vs bots), liquidity depth, buy/sell ratio.

SHALLOW DIVE

Run only: DexScreener + GoPlus + one Twitter search + basic web search.

Batch Research (5+ Tokens)

  1. Spawn parallel sub-agents for concurrent research
  2. After filtering, auto deep dive top 1-3 tokens without waiting for user to ask
  3. Save report to reports/YYYY-MM-DD/[N]-token-analysis.md
  4. Auto-add top picks to monthly watchlist

Comments

Loading comments...