NFT collection tracking, whale monitoring, and portfolio valuation for Base blockchain. Track floor prices, whale moves, and discover undervalued collections.
Security Analysis
medium confidenceThe skill's behavior mostly matches an NFT-tracking integration, but there are small inconsistencies (unused required binary, mismatched version strings) and a payment flow (x402/pay-to address) that users should understand before installing.
Name/description, network host (api.supah.ai), and the single required env var (SUPAH_API_BASE) align with an external NFT-data API. However, SKILL.md and registry require the binary 'curl' even though the bundled index.js only uses Node's https module, which is unnecessary and inconsistent. Version strings differ across files (registry 1.3.0, index.js prints v1.2.0, package.json 1.0.0) — likely sloppy maintenance but not necessarily malicious.
SKILL.md and index.js instruct outbound GETs to SUPAH_API_BASE (default https://api.supah.ai) for NFT floor, track, portfolio, and alerts. The instructions do not ask the agent to read local files or other env vars. The skill will transmit collection addresses and wallet addresses to the external API (expected for this purpose) — users should be aware that queries like portfolio valuation send wallet identifiers to the remote service.
No install spec (instruction-only), bundled Node script only; nothing downloaded from arbitrary URLs. Low installation risk.
Only SUPAH_API_BASE is required, which is appropriate. However, the skill advertises x402 micropayments and contains a hard-coded payTo address in SKILL.md metadata — calls will incur on-chain USDC micropayments (per-call pricing listed). The skill doesn't require wallet keys (it relies on the platform's x402 client), so verify your agent/platform will handle/charge micropayments as described and that you accept charges going to the listed address.
always is false; skill does not request elevated or persistent privileges. It does not modify other skills or system configs.
Guidance
This skill appears to be a straightforward wrapper around SUPAH's API and will send collection or wallet identifiers to https://api.supah.ai (or whatever SUPAH_API_BASE you set). Before installing: 1) confirm your agent/platform supports x402 micropayments and that you accept the per-call pricing and the hard-coded payTo address (0xD3B2eCfe77780bFfDFA356B70DC190C914521761); 2) be aware queries that value a wallet will transmit that wallet address to the external service; 3) the skill unnecessarily lists 'curl' as a required binary even though the shipped code uses Node — this is likely benign but indicates sloppy packaging; 4) source is listed as unknown/remote — if you need stronger assurance, verify the upstream project (https://github.com/supah-based/supah-nft-intelligence or https://supah.ai) and confirm package integrity and recent maintenance. If you cannot accept automatic micropayments or are uncomfortable sending wallet identifiers to the remote API, do not install.
Latest Release
v1.3.0
Removed all API key references, free tiers, subscription pricing. x402 only.
Popular Skills
Published by @supah-based on ClawHub
