Safety Report

SUPAH Base Intelligence

Name: SUPAH Base Intelligence
Author: supah-based

Comprehensive token intelligence for Base blockchain. Risk scores, whale tracking, signal analysis, and safety checks for any Base token. Powered by SUPAH 5-...

164Downloads

1Installs

0Stars

4Versions

API Integration11,971

Security Analysis

medium confidence

Clean

The skill's code, instructions, and requirements are internally consistent with a Base token intelligence client that calls the SUPAH API; it requests only a non-secret API base override and makes outbound HTTPS calls to api.supah.ai.

Mar 22, 20267 files

Purpose & Capabilityok

Name/description match the implemented behaviour: index.js implements token scans, safety checks, signals, wallet analysis by calling SUPAH API endpoints. Required binaries (node, curl) are reasonable. The only minor inconsistency: registry lists SUPAH_API_BASE as required but the code treats it as optional (it uses a default hostname). Version/repo/homepage fields differ across files but do not change behavior.

Instruction Scopeok

SKILL.md and code instruct only outward HTTPS API requests to SUPAH endpoints. There are no instructions to read local secrets, scan arbitrary files, or transmit data to unexpected hosts. The SKILL.md includes x402 micropayment metadata (payTo address) — the skill itself does not implement payments; it simply calls the API and reports a cost string.

Install Mechanismok

No install spec is provided (instruction-only install), and included JavaScript uses only Node built-ins (https). There are no external downloads, no package installs with third‑party dependencies, and no archives from untrusted URLs.

Credentialsok

Only SUPAH_API_BASE is listed; the code uses it solely as an API hostname override. No secret tokens, private keys, or unrelated credentials are requested. The x402 payment metadata references a payTo address, but the skill doesn't require or handle private keys — payments are described as handled externally via an x402-compatible client.

Persistence & Privilegeok

always is false and the skill does not request elevated privileges or modify system/other-skill configuration. It performs transient outbound HTTPS calls only and exports simple functions for on-demand use.

Guidance

This skill is coherent with its stated purpose: it only makes HTTPS requests to SUPAH API endpoints and doesn't ask for secrets. Before installing: (1) verify the skill source/repository and that the payTo address in SKILL.md/clawhub.json matches SUPAH's official documentation if you plan to use x402 payments; (2) if you set SUPAH_API_BASE, ensure it points to a trusted host (otherwise the agent will call whatever hostname you provide); and (3) be aware that using the skill will cause outbound network requests and may trigger on‑chain x402 micropayments via your environment's x402 client — the skill itself does not hold or require private keys. If you need stronger assurance, confirm the package's upstream GitHub repo and check that api.supah.ai is the intended production endpoint.

Latest Release

v1.3.0

Removed all API key references. x402 USDC only.

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @supah-based on ClawHub