ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SUPAH Portfolio Guardian

v1.3.0

Automated wallet monitoring with real-time alerts. Track portfolio value, detect suspicious transactions, monitor approvals, and get risk warnings across Bas...

0· 63·1 current·1 all-time
by@supah-based
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the code: the JS calls a SUPAH API to fetch portfolio/risk data and offers watch/list/health/alerts operations. Requiring 'node' is appropriate. However SKILL.md/metadata also list 'curl' as a required binary while the packaged index.js does not call curl — this is an unnecessary/incorrect requirement. The metadata also includes x402 payment info (payTo address) which is coherent with the pricing claims but is an extra capability (payment) beyond pure read-only monitoring.
Instruction Scope
Runtime instructions and code only perform read-only queries to SUPAH endpoints and manage a local watched-wallets state file. The skill does not request private keys or other unrelated system data and explicitly states it does not store private keys. It does cause wallet addresses to be sent to the configured API endpoint (expected for this purpose).
Install Mechanism
There is no install spec — this is instruction+small JS utility only. The package has no external dependencies and does not download or extract remote archives. Low install risk.
!
Credentials
The skill declares a required SUPAH_API_BASE env var but the code falls back to a default ('api.supah.ai'), so the 'required' designation is inconsistent. SUPAH_API_BASE controls where wallet data is sent — if an operator sets it to a malicious host the skill would exfiltrate watched wallet addresses and requests there. The SKILL.md also embeds x402 payment metadata (payTo address) which implies the agent will be charged micropayments; this is coherent with the pricing statements but is a non-trivial capability (automatic payments) that should be explicitly approved by the user.
Persistence & Privilege
The tool writes/reads a state file at ~/.supah-guardian-state.json to store watched wallets and lastCheck. This is reasonable for a watchlist feature but is persistent data on the user's filesystem and could reveal watched wallet addresses to other local parties. The skill does not request system-wide privileges or modify other skills.
What to consider before installing
Things to check before installing: - Confirm the API host: SUPAH_API_BASE can redirect requests. If you don't want to override it, leave it unset so the skill uses the published default (api.supah.ai). Only set SUPAH_API_BASE to a host you trust. - Micropayments: the skill embeds x402 payment metadata and a payTo address (0xD3B2...1761). Understand that use of the skill implies small automatic charges via your agent's x402-capable client; verify you are willing to pay and that your agent's payment client is configured securely. - Local state: the skill stores watched wallets in ~/.supah-guardian-state.json. If you are concerned about revealing which wallets you monitor, run it in an isolated environment or inspect/redirect the state path. - Unused requirement: SKILL.md lists 'curl' as required but the bundled code doesn't use it — this is likely harmless but indicates sloppy metadata. - Verify upstream: the package.json lists a GitHub repo and the SKILL.md lists https://supah.ai and api.supah.ai. If you rely on this tool for real funds, verify the upstream project and maintainer legitimacy (website, repo activity, signed releases) before trusting payments or automated monitoring. If you are uncomfortable with automatic micropayments or with an env var that could be repointed, run the skill in a sandboxed environment and review network traffic (or avoid setting SUPAH_API_BASE) before granting it network/payment privileges.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cbaxb99ykwj5ejdr054b81183d2qy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💼 Clawdis
Binscurl, node
EnvSUPAH_API_BASE

Comments