ClawHub

SUPAH Whale Tracker

v1.3.0

Real-time whale activity monitoring and smart money following for Base blockchain. Track large transactions, wallet accumulation patterns, and smart money fl...

0· 101·1 current·1 all-time
by@supah-based
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the code and SKILL.md: the skill queries a SUPAH API for whale data. However, registry/SKILL.md list 'curl' as a required binary even though the included code uses Node's https module and does not call curl, and SUPAH_API_BASE is declared required despite index.js providing a harmless default. These are inconsistencies but plausibly harmless (documentation drift).
Instruction Scope
SKILL.md instructs the agent to query SUPAH's API and explains x402 micropayments; the included index.js only makes HTTPS GETs (JSON) to the SUPAH API host and prints results. The instructions do not ask the agent to read unrelated files, credentials, or system paths, nor to send data to unexpected third parties.
Install Mechanism
No install spec; this is instruction-only with an included CLI script. There are no download URLs or extract steps in the skill manifest. The README contains an example install URL (tools.supah.ai) but that URL is not used by the skill package itself.
Credentials
The only declared env var is SUPAH_API_BASE (non-secret base URL). The skill does not request tokens, keys, or unrelated credentials. Note: SUPAH_API_BASE is declared required but the code uses a default value if it's absent. The SKILL metadata also embeds an x402 payTo address — normal for a paid API but means calls will incur on-chain micropayments which users should expect.
Persistence & Privilege
always is false and the skill does not modify other skills or system configuration. Autonomous invocation is allowed (platform default), which is expected for this type of skill.
Assessment
This skill appears to do what it says: it queries SUPAH's API (api.supah.ai) for whale data and expects x402 micropayments to a listed Base address. Before installing, verify the publisher and the payTo address (0xD3B2eCfe77780bFfDFA356B70DC190C914521761) are legitimate for SUPAH, and confirm you accept automated x402 micropayments (small USDC charges). Note the minor inconsistencies: SKILL.md/registry claim curl is required though the included code uses Node only, and SUPAH_API_BASE is marked required even though the code has a default. Those look like documentation drift rather than functional red flags, but if you need high assurance, ask the publisher for source/origin verification (the manifest lists a GitHub repo and a README install URL) and run the skill in a sandboxed environment first to confirm billing behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d45g71qd5pv7wxm4tdv6tcs83dkt3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐋 Clawdis
Binscurl, node
EnvSUPAH_API_BASE

Comments