Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TrencherAI — Base Chain Intelligence
v1.0.1Real-time AI scoring for Base chain tokens via x402 micropayments. Score any token 0-100 with smart money signals, pattern win rate, launchpad context, and B...
⭐ 0· 75·0 current·0 all-time
byBasedJaider@soynull
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (token scoring on Base) matches the runtime instructions: all endpoints are token-scoring, hot-feeds, and smart-money activity. The declared lack of required binaries/env/config is consistent with an instruction-only wrapper that delegates payments to the client-side x402 flow.
Instruction Scope
Instructions are narrowly scoped to calling api.aitrencher.xyz endpoints and handling an x402 payment flow; they do not ask the agent to read unrelated files or system-wide secrets. However, the doc includes a code example that uses Coinbase CDP credentials (apiKeyId, apiKeySecret) for signing payments — the SKILL.md does not declare these as required env vars, so callers must supply them to their agent/client. The agent will need to perform wallet signing or provide Coinbase CDP keys to make payments, which increases the risk of accidental charges or credential exposure if not managed carefully.
Install Mechanism
No install spec and no code files — the skill is instruction-only, so nothing is written to disk by the skill itself. This is the lowest install risk.
Credentials
The skill declares no required environment variables, yet its payment example shows directly using Coinbase CDP API keys (apiKeyId/apiKeySecret). That is not intrinsically malicious, but it is a mismatch between declared requirements and the real-world need to supply payment credentials to the agent. Also, the SKILL.md hardcodes a pay-to address (0xd3c3...ccab) and a facilitator endpoint (api.cdp.coinbase.com); calling the service will cause micro-payments to that address — ensure you trust it before enabling automatic agent calls.
Persistence & Privilege
Skill is not always-on and does not request persistent system privileges. Autonomous invocation is allowed by default (normal), but nothing in the skill requests system-wide config changes or cross-skill credential access.
What to consider before installing
This skill calls an external API that charges small USDC payments per request; the payments are handled client-side via x402 and may require Coinbase CDP credentials or a wallet. Before installing: 1) Verify you trust api.aitrencher.xyz and the hardcoded pay-to address (0xd3c3...ccab). 2) Do NOT give your agent high-privilege Coinbase API keys unless you understand and limit their scope — prefer a dedicated low-balance wallet or restricted API key for testing. 3) Ensure your agent only makes requests when you explicitly authorize them (or disable automatic invocation), so it cannot make uncontrolled micro-payments. 4) Test with a tiny amount first and monitor transactions on Base. 5) If you need provenance, request the skill owner/source code or a homepage before using it with real funds.Like a lobster shell, security has layers — review code before you run it.
base-chainvk97a0a1x7vkh5141yzvzw0pb79849c2pcryptovk97a0a1x7vkh5141yzvzw0pb79849c2pdefivk97a0a1x7vkh5141yzvzw0pb79849c2platestvk97e4h1kqm8crzjjyz2tam0n2d84a66ememecoinvk97a0a1x7vkh5141yzvzw0pb79849c2ponchainvk97a0a1x7vkh5141yzvzw0pb79849c2ptoken-analysisvk97a0a1x7vkh5141yzvzw0pb79849c2px402vk97a0a1x7vkh5141yzvzw0pb79849c2p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.