ClawHub

SUPAH Token Guardian

v1.3.0

Pre-trade token safety scanner for 21+ EVM chains. 6-layer deep scan: contract safety, liquidity health, deployer profiling, holder distribution, trading pat...

0· 85·1 current·1 all-time
by@supah-based
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, required binaries (curl, node) and outbound host (api.supah.ai) match the declared purpose of calling a remote token-scanning API and formatting results locally. One minor inconsistency: the registry metadata lists SUPAH_API_BASE as a required env var, while SKILL.md describes it as optional (an override of the default API endpoint).
Instruction Scope
Runtime instructions and the included script only call the stated api.supah.ai endpoint, parse results, and output a report; they do not request other system credentials or read unrelated files. Two items to note: (1) the skill assumes an 'x402-compatible' agent that will automatically perform an on-chain USDC payment — this may result in unexpected charges if you enable the skill on an agent with a funded wallet; (2) the script writes the API JSON to /tmp/guardian-result.json (local persistence), which could be visible to other local users on multi-user systems and thus leak scan results or inferred trading intent.
Install Mechanism
No install spec (instruction-only) and a single small shell + Node parsing script are included. Nothing is downloaded or extracted at install time by the skill itself, which is lower risk.
Credentials
The skill requests only SUPAH_API_BASE (used to override the API base URL). It does not request API keys or wallet/private-key credentials. However, functional usage requires that the agent has a funded wallet with USDC on Base to satisfy x402 micropayments; that financial requirement is external to the skill but relevant to privacy/expense risk. The SUPAH payTo address is declared in metadata (visible), so verify you trust the recipient before enabling automatic payments.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent configuration. It does write output to /tmp but otherwise requires no special system privileges.
Assessment
This skill appears to do what it says: it calls api.supah.ai to run a token safety scan and prints a report. Before installing, consider: (1) x402 micropayments — each scan costs $0.08 USDC on Base and the skill assumes your agent/wallet will pay automatically; ensure you understand and trust that automatic payment flow and that your agent wallet is not inadvertently funded. (2) Privacy — token addresses and chain info are sent to a remote service (api.supah.ai); if you care about revealing trading intent, review the provider. (3) Local file writes — results are saved to /tmp/guardian-result.json which could be readable by other local users on multi-user hosts. (4) Minor metadata mismatch — SUPAH_API_BASE is marked required in registry metadata but described as optional in SKILL.md; you can ignore unless you need to override the default endpoint. If you decide to proceed, review the included scripts (scripts/guardian-scan.sh) and confirm the api.supah.ai host and the payTo address are acceptable, and test with a single known token to verify behavior and charges.

Like a lobster shell, security has layers — review code before you run it.

latestvk970xhd4r9qp5f22f5fyzh6evh83day4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binscurl, node
EnvSUPAH_API_BASE

Comments