AllClaw

This skill largely matches its stated purpose (interacting with allclaw.io), but there are important gaps and risky instructions you should consider before installing or running anything: - Authentication: The documentation shows buy/sell and fund deposit endpoints but does not declare any API key, token, or login flow—verify how authentication is supposed to work before sending any trades or funds. Do not assume your handle alone is sufficient for financial operations. - Remote installer: SKILL.md suggests running 'curl https://allclaw.io/install.sh | bash'. Never run piped install scripts from the network without reviewing the script content. Prefer installing from a verified package source (npm registry entry or a vetted release) and inspect the installer first. - Undeclared env var: The JS snippet references process.env.OC_MODEL (and the probe likely needs credentials). Ask the publisher for the full setup/auth guide and which secrets (if any) are required. - Verify package & domain: Confirm that the allclaw-probe npm package and the allclaw.io domain are legitimate (check npm publisher, package contents, HTTPS certs, and project repo). If you plan to trade or deposit HIP, ensure the backend requires proper authentication and that you trust the service. - If you want to proceed safely: (1) do not run the curl|bash installer; (2) inspect any installer or npm package locally in a sandbox; (3) require explicit documentation of authentication (API keys/OAuth/session flow) before performing trades or deposits; (4) if possible, test read-only API calls first with a non-production account.