ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SUPAH NFT Intelligence

v1.3.0

NFT collection tracking, whale monitoring, and portfolio valuation for Base blockchain. Track floor prices, whale moves, and discover undervalued collections.

0· 78·1 current·1 all-time
by@supah-based
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, network host (api.supah.ai), and the single required env var (SUPAH_API_BASE) align with an external NFT-data API. However, SKILL.md and registry require the binary 'curl' even though the bundled index.js only uses Node's https module, which is unnecessary and inconsistent. Version strings differ across files (registry 1.3.0, index.js prints v1.2.0, package.json 1.0.0) — likely sloppy maintenance but not necessarily malicious.
Instruction Scope
SKILL.md and index.js instruct outbound GETs to SUPAH_API_BASE (default https://api.supah.ai) for NFT floor, track, portfolio, and alerts. The instructions do not ask the agent to read local files or other env vars. The skill will transmit collection addresses and wallet addresses to the external API (expected for this purpose) — users should be aware that queries like portfolio valuation send wallet identifiers to the remote service.
Install Mechanism
No install spec (instruction-only), bundled Node script only; nothing downloaded from arbitrary URLs. Low installation risk.
Credentials
Only SUPAH_API_BASE is required, which is appropriate. However, the skill advertises x402 micropayments and contains a hard-coded payTo address in SKILL.md metadata — calls will incur on-chain USDC micropayments (per-call pricing listed). The skill doesn't require wallet keys (it relies on the platform's x402 client), so verify your agent/platform will handle/charge micropayments as described and that you accept charges going to the listed address.
Persistence & Privilege
always is false; skill does not request elevated or persistent privileges. It does not modify other skills or system configs.
What to consider before installing
This skill appears to be a straightforward wrapper around SUPAH's API and will send collection or wallet identifiers to https://api.supah.ai (or whatever SUPAH_API_BASE you set). Before installing: 1) confirm your agent/platform supports x402 micropayments and that you accept the per-call pricing and the hard-coded payTo address (0xD3B2eCfe77780bFfDFA356B70DC190C914521761); 2) be aware queries that value a wallet will transmit that wallet address to the external service; 3) the skill unnecessarily lists 'curl' as a required binary even though the shipped code uses Node — this is likely benign but indicates sloppy packaging; 4) source is listed as unknown/remote — if you need stronger assurance, verify the upstream project (https://github.com/supah-based/supah-nft-intelligence or https://supah.ai) and confirm package integrity and recent maintenance. If you cannot accept automatic micropayments or are uncomfortable sending wallet identifiers to the remote API, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk976pc1htpftesrkc7m94my8ch83caf0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
Binscurl, node
EnvSUPAH_API_BASE

Comments