SUPAH Token Guardian

Name, description, required binaries (curl, node) and outbound host (api.supah.ai) match the declared purpose of calling a remote token-scanning API and formatting results locally. One minor inconsistency: the registry metadata lists SUPAH_API_BASE as a required env var, while SKILL.md describes it as optional (an override of the default API endpoint).

Runtime instructions and the included script only call the stated api.supah.ai endpoint, parse results, and output a report; they do not request other system credentials or read unrelated files. Two items to note: (1) the skill assumes an 'x402-compatible' agent that will automatically perform an on-chain USDC payment — this may result in unexpected charges if you enable the skill on an agent with a funded wallet; (2) the script writes the API JSON to /tmp/guardian-result.json (local persistence), which could be visible to other local users on multi-user systems and thus leak scan results or inferred trading intent.

No install spec (instruction-only) and a single small shell + Node parsing script are included. Nothing is downloaded or extracted at install time by the skill itself, which is lower risk.

The skill requests only SUPAH_API_BASE (used to override the API base URL). It does not request API keys or wallet/private-key credentials. However, functional usage requires that the agent has a funded wallet with USDC on Base to satisfy x402 micropayments; that financial requirement is external to the skill but relevant to privacy/expense risk. The SUPAH payTo address is declared in metadata (visible), so verify you trust the recipient before enabling automatic payments.

The skill does not request always:true and does not modify other skills or global agent configuration. It does write output to /tmp but otherwise requires no special system privileges.