Automated wallet monitoring with real-time alerts. Track portfolio value, detect suspicious transactions, monitor approvals, and get risk warnings across Bas...
Security Analysis
medium confidenceThe skill's code and docs mostly match a portfolio-monitoring tool, but small inconsistencies (an unused required binary, a declared required env var that has a safe default, embedded micropayment metadata and pay-to address, and local state persistence) merit caution before installing or granting it network/payment capabilities.
Name/description align with the code: the JS calls a SUPAH API to fetch portfolio/risk data and offers watch/list/health/alerts operations. Requiring 'node' is appropriate. However SKILL.md/metadata also list 'curl' as a required binary while the packaged index.js does not call curl — this is an unnecessary/incorrect requirement. The metadata also includes x402 payment info (payTo address) which is coherent with the pricing claims but is an extra capability (payment) beyond pure read-only monitoring.
Runtime instructions and code only perform read-only queries to SUPAH endpoints and manage a local watched-wallets state file. The skill does not request private keys or other unrelated system data and explicitly states it does not store private keys. It does cause wallet addresses to be sent to the configured API endpoint (expected for this purpose).
There is no install spec — this is instruction+small JS utility only. The package has no external dependencies and does not download or extract remote archives. Low install risk.
The skill declares a required SUPAH_API_BASE env var but the code falls back to a default ('api.supah.ai'), so the 'required' designation is inconsistent. SUPAH_API_BASE controls where wallet data is sent — if an operator sets it to a malicious host the skill would exfiltrate watched wallet addresses and requests there. The SKILL.md also embeds x402 payment metadata (payTo address) which implies the agent will be charged micropayments; this is coherent with the pricing statements but is a non-trivial capability (automatic payments) that should be explicitly approved by the user.
The tool writes/reads a state file at ~/.supah-guardian-state.json to store watched wallets and lastCheck. This is reasonable for a watchlist feature but is persistent data on the user's filesystem and could reveal watched wallet addresses to other local parties. The skill does not request system-wide privileges or modify other skills.
Guidance
Things to check before installing: - Confirm the API host: SUPAH_API_BASE can redirect requests. If you don't want to override it, leave it unset so the skill uses the published default (api.supah.ai). Only set SUPAH_API_BASE to a host you trust. - Micropayments: the skill embeds x402 payment metadata and a payTo address (0xD3B2...1761). Understand that use of the skill implies small automatic charges via your agent's x402-capable client; verify you are willing to pay and that your agent's payment client is configured securely. - Local state: the skill stores watched wallets in ~/.supah-guardian-state.json. If you are concerned about revealing which wallets you monitor, run it in an isolated environment or inspect/redirect the state path. - Unused requirement: SKILL.md lists 'curl' as required but the bundled code doesn't use it — this is likely harmless but indicates sloppy metadata. - Verify upstream: the package.json lists a GitHub repo and the SKILL.md lists https://supah.ai and api.supah.ai. If you rely on this tool for real funds, verify the upstream project and maintainer legitimacy (website, repo activity, signed releases) before trusting payments or automated monitoring. If you are uncomfortable with automatic micropayments or with an env var that could be repointed, run the skill in a sandboxed environment and review network traffic (or avoid setting SUPAH_API_BASE) before granting it network/payment privileges.
Latest Release
v1.3.0
Removed all API key references, subscription pricing. x402 only.
Popular Skills
Published by @supah-based on ClawHub
