SUPAH Pulse
Security checks across static analysis, malware telemetry, and agentic risk
Overview
SUPAH Pulse appears to match its advertised crypto-market briefing purpose, but users should notice that it makes disclosed outbound API calls and can trigger automatic $0.03 USDC payments per use.
Install only if you are comfortable with a paid market-data skill. Keep the agent wallet funded with only the amount you are willing to spend, avoid overriding SUPAH_API_BASE unless you trust the endpoint, and verify the publisher/payment details because no homepage or source repository is listed.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Repeated invocations could spend USDC from the configured agent wallet.
The skill discloses that invoking it can spend funds from an agent wallet via x402. This is purpose-aligned and per-call priced, but it is still delegated financial authority.
"$0.03 USDC per pulse" ... "Your agent pays automatically per call" ... "Just USDC in your agent wallet on Base."
Use a limited-balance wallet, confirm the x402 payment settings, and set agent rules or budgets for when this skill may be called.
Market requests, and potentially x402 payment handling, could target a non-default endpoint if SUPAH_API_BASE is changed.
The script makes outbound HTTP requests and allows the SUPAH API base URL to be overridden. This is expected for the skill, but a bad environment setting could send requests to an unintended endpoint.
API_BASE="${SUPAH_API_BASE:-https://api.supah.ai}" ... curl -sf "${API_BASE}/agent/v1/market/regime?focus=${FOCUS}"Leave SUPAH_API_BASE unset unless you intentionally trust the replacement endpoint.
Users have less external information to verify the publisher, backend service, or payment recipient.
The package metadata does not provide a source repository or homepage, which limits provenance checks for a skill that receives micropayments.
Source: unknown; Homepage: none
Verify the ClawHub publisher, the advertised SUPAH endpoint, and the x402 payment recipient before funding an agent wallet for this skill.